Slashdot Mirror
To Allow or Not Allow E-Mail Attachments?
t0pper311 asks: "I work for a pretty large utility company in the midwest and of course, security is a big concern. We use Trend Micro as a mail gateway to basically scan for virii and strip off most attachments like executables or VB script. Now with the Sobig.E virus on the loose, we need to ask ourselves if we should be blocking ZIP files. We got lucky this time and were not effected, but what about next time? What are other companies doing? If you do block ZIP files, how do you give the people who need to sends files the ability to do so? Do you allow any attachments at all?"
Don't let them use email at all. That'll stop any viruses and ou'll have done your job
fp
Pretty simple really.
Given that most users love to download crap via hotmail etc. , lets hope you have a virus scanner on their PC too.
The plural of "virus" is "viruses."
You mean "affected," not "effected."
Why do you make so many accommodations for the failures of the OS? Isn't the OS supposed to work for you, instead of you working for it? How many features do you have to shut off before it's not worth the considerable cash you paid for it?
--
$tar -xvf
I think if people insist on running software that is vulnerable to these kinds of attacks then yes, you do need to stop these people using attachments completely.
If we do need to send files to each other as part of our business then surely that's a major feature that our application environment needs. If our chosen solution doesn't let us do that without an enormous amount of hassle and risk, then maybe it's time to make other tradeoffs and choose a client that does.
And if we have to choose between an email client with nice scheduling/calendaring and one that lets us receive file attachments safely, then that's a *decision* that must be made based on business needs. Which is more important to your task? Is there a way to have both? Will we accept the risk and hassle of virii to get nice calendaring, or will we use clumsier calendaring and have safe file attachments?
Only when people start making these conscious decisions en masse will we start seeing applications (including OS/hardware/whatever) that provide all the features we need to do our jobs.
The current climate of "how do we shore up the inadequacies of our chosen software?" isn't helping things improve.
Nice calendering *or* safe file attachments. Choose. If someone offers a product that does both. Cool. We all win.
- Muggins the Mad
would one have to block zip files? just scan the contents of the zip files for the virus, all of which have been stuff like .pif or other windows-ish things.
You could just let everyone catch every virus going for a few months, then offer them a real computer that doesn't get viruses. I wonder how many people would get the message.
I think that if a user opens an attachment from a random source, that came with no explanation, with a funky name like the ones in the write-up (see article link), then that's their own fault.
Filtering out legitimate attachments is not very good policy to protect against virii. You'd be -much- better off spending a few minutes educating employees in a "Virus Prevention" seminar or something. Show them that opening emails like that is not intelligent, and that way, it's not as much of a problem.
10 years ago, on BBS (bulletin board system), every time someone uploaded something, the system automatically unpacked the { zip | rar | arj } on a temp directory. Then the content of the archive were automatically checked for virii with *MANY* anti-virus like MacAfee, FProt and MSAV (if the BBS were DOS-based). If the archive passed the test, it was made available to download by other user. Then, the temp directory was cleaned.
Get a better scanner. I can't recommend Sybari's Antigen enough. It uses multiple virus scanner engines and has great filter support. It also opens up archive files and scans inside of them.
We use Symantec for Microsoft Exchange. It'll scan and clean files within zip files. SoBig.E has not been a problem for us (aside from the fact that we're running MS Exchange, of course).
;-p
That said, I was surprised to find one of the largest employers in MA doesn't have *any* AV protection on their Exchange servers, and had quite a bit of downtime as a result. So I guess AV on mail servers aren't as commonsensical as I thought...
Running Exchange is bad enough, but do-able. To run Exchange *without* decent, up-to-date AV software is just incompetent.
IMHO, email is not a file transfer medium; sure you can send little things with it, but it's just not useful for any real kinds of file transfer.
Personally, I think you should set up an FTP that is open anonymously to everybody in your company, and then disable attachments so that people have to upload to the ftp, then email the link around.
what if you choose to block email attachments completely, could you set up a respository on a computer. Have people drop attachments there, and as they finish their uploads scan them for viruses before making them visable for people to download. People could log in with their email addresses (on your side), and there could be guest accounts generated for people on the outside to get files in and out.
the guest accounts could expire after a time frame, or a number of uses, or whatever.
Altp.
This is an important point. Why should running an executable be dangerous at all? is it really that difficult to set up a sandbox (a la the JVM) for users to run untrusted executables in? There may be some more hassle involved, but it could be implemented fairly transparently.
Don't knock HTML email. It makes my life easier, since I
You just make yourself sound like a retard when you write "virii". Like people who say "nucular" instead of nuclear and "Legos" instead of "Lego".
The plural of a "Lego block" is "Lego blocks". Saying the plural of "Lego block" is "Lego" is like saying the plural of "Ford car" is "Ford."
Bah.
Slashdot is jumping the shark. I'm just driving the boat.
From memory, MailScanner (ours uses the F-Secure engine) looks inside zip files. No biggy.
While you may have been lucky and escaped the Sobig.E virus, unfortunately it appears that you have been infected with the 'affective disorder' virus.
This cunning virus sniffs all your outgoing email and replaces 'affect' with 'effect' and vice versa. So while we know that you wrote "We got lucky this time and were not affected...", this malicious virus made it appear on slashdot as though you are 'affectively disordered'.
This is not a hard thing to do at all. I assume you are using ScanMail. This applies to ScanMail 6, but I recall from memory that older versions were basically the same. Open up the ScanMail Magement console. Click the 'Virus Scan' tab and then 'options'. Now, on the right, click the 'settings' button for 'advanced options'. Check the box 'Enable Compressed Attachement Scanning'. Have a nice day. -Tom
You should make sure that your bounce messages go to the right place. I've received countless messages informing me that my attachment was stripped because it contains the Sobig virus. The second thing you should do is to make sure that the full headers of the message get inserted into your bounce.
The funny thing is that I run only Linux on my domain, and I never e-mailed those people anything. It's very unlikely that Sobig can run on Linux. And I can't do anything about it because I don't have any headers to track down the source of the mails. Nobody's answered my requests for them either.
If tits were wings it'd be flying around.
Your fucking userii should not be clicking on the attachmentii if they don't know what programii is going to run on their computerii.
Here's what I did with postfix.
/^(Content-(Type|Disposition):.*|\s*(file)?)name=( "[^"]*|\S*)\.(ade|adp|bas|shm|cmd|com|dll|hlp|js|j se|exe|com|chm|hta|jse|reg|shb|shs|vbe|vbs|vxd|scr |pif|bat|lnk|dll|vbs|js|mp*)\b/ REJECT
/^(Content-(Type|Disposition):.*|\s*(file)?)name=( \S*your_details)\.(zip)\b/ REJECT
in my main.cf created a line that says
body_checks = pcre:/etc/postfix/extensions
then created a file called extensions that looks like this:
The first line (yes it's all one line) blocks all executable files from entering the server. The second line block the only version of sobig that we received. Actually we received 2 modifications...one attachment was called your_details.zip, and the other was 'your_details.zip the ' allowed it to get around the filter, hence the wildcard.
The key is, to inform your users over and voer not to open things from people they don't know or aren't expecting. If you start blocking zip's you might as well block all attachments.
/* oops I accidentally made a comment, sorry */
This, and similar issues, have cropped up at a few of our customer sites over the years. There are situations where bringing in (documents/zip files/spreadsheets/etc.) are an essential part of making organisation function.
Whilst you can implement technical countermeasures to reduce your security risk somewhat, such as installing virus checkers that are able to unzip/unarj/unrar, keeping virus signature definitions up to date, quarantine incoming attachments.. etc, you really need to compare your security risk profile, with the business risk associated with NOT receiving these attachments.
This would normally be the function of your organisational risk assessment - it would compare the likely harm of virus infection, against the loss of capability as a result of not receiving the documents/zip files in question.
Which way you go, really depends on the threat/risk/harm/countermeasure equasion, which is unique to your organisation. However, a quick 'cheat' check:
* How badly is it going to hurt your organisation overall, if attachments don't come in?
* Do you have the resources to quickly clean up a virus attack if one makes it through?
- If you're a small organisation, with adequate IT staff numbers, and receiving attachments is pretty essential to your normal business... it's probably worth allowing things through.
- If your IT staff numbers are limited such that a virus attack would be a major cleanup effort, or attachments aren't all that critical, then block them, or quarantine them by redirecting them to technically literate help-desk users (who can forward them internally after checking them out).
However, make sure that you make it relatively painless for users to get their files. If you're really anal about things, they'll just open up a hotmail/yahoo/whatever account, ask people to send attachements there instead, and download just like a normal web link.
Red.
Amen.
..."loose" when they mean "lose". My pet hate. Grr.
You just make yourself sound like a retard when you write "virii". Like people who say...
Here's a simple solution used by a number of organisations down here in New Zealand.
If an email with a forbidden attachment type is received, bounce it back to the sender with a "Sorry, no go" message UNLESS it has a matching flag in the subject line.
So, to send a friend of mine a picture, I need to include [JPG] in the subject line, else it will bounce.
Simple, easy, and proof against viri because YOU choose the flag.
In your case, set it up to require [FUBAR] in the subject line to let a zip file through.
Sorry though, I don't know the software package they use.
Forming the plural is always dependant on the language in which you are using the word.
The default plural form for native english speakers is adding a "s" to the end of the word.
Some latinophiles might insist on using the correct latin plural form in the english language. I don't know about the english language, but it is très chic to use those archaic latin or greek plural forms in german (like "Atlanten" as plural for "Atlas" instead of the german form "Atlasse").
However, virus is a widespread word of latin origin that is today used in a very different context. Originally meant to mean "disease", it is nowadays used to describe disease-causing agents (the viruses in the biologic/medical field) and "computer-disease-causing" agents (the viruses in the IT-field). This shows that it has little in common with the original word and might thus be regarded as an english word. So it is safe and ok to say "viruses".
For an interesting read I'd recommend you Steven Pinker's Words and rules.
We use RenAttach and I added ZIP files to its list of 'bad' files last week as a precaution.
If you aren't familiar with it, RenAttach processes each email and compares the file extension of each email attachment against a list of "bad" extenstions you've configured. Any files with bad extenstions are renamed: "yourfile.exe" becomes "yourfile_exe.xxx".
This prevents auto-running executable viruses from damaging anything, but still leaves the user in control so they can exchange data. This would not work in some shops where security procedures require that users be treated with suspicion, but for my situation, it's perfect.
It can also run in 'good' mode where it renames everything EXCEPT the extensions of the good list.
"Lawyers are for sucks."
- Doug McKenzie
Sobig.E came out before the virus scanners had signature updates. When viruses spread so fast these days about all you can do is push your email through MessageLabs who have never let a virus through to a customer due to their custom AV scanner which uses heuristics instead of signatures.
Your point about not relying on any one point of access is well taken though - all entry points need to be protected in one way or another.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I've set up mailing lists which contain large numbers of non-expert users so I set an automated rejection + message of anything with incoming attachments. This not only stops the MSTDs dead, but also makes the size of the archive smaller, and allows the archive to be fully searchable. From the user side, it eliminates crowded inboxes (many web-mail clients have small limits) and, for the novices, it eliminates the problem of incompatible file formats, i.e. which program and which version of that program.
If a binary file does need to be transfered, then that's what HTTP, WebDAV, and other services excel at.
Plain text - it was good enough for Shakespeare
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I communicate with a major broadcaster, which is therefore a fairly high profile target for politically motivated hackers as well as mindless viruses. They have a flat no-attachments policy. If I want to send them a binary, I have to put it up on our website, then certain technically qualified people are permitted to download from the web. But the default applied to the majoprity of the people is no attatchments - full stop. I can't even send them zipped text or pdf.
Consciousness is an illusion caused by an excess of self consciousness.
If the attachments can be reasonably assumed not to be work-related, don't let them in.
I worked at a security-conscious place a few years ago. Executables, zip files and the like were stripped off incoming mail.
-- Slashdot: When Public Access TV Says "No"
The Lego Group themselves stated once in their literature (and I remember seeing it once in an official FAQ on their web site) that the correct collective noun is "Lego", not "Legos". As the trademark owners they're surely entitled to have the final say on that matter.
Morons. Plural of virus is VIRUSES.
http://www.perl.com/language/misc/virus.html
That is true. At one company I worked (with several thousand employees) there was an virus outbreak every one or two weeks on the corporate network.
This reduced to once or twice per year after they blocked off hotmail, yahoo mail, lycos mail, ICQ, AIM, etc. And really, if you are smary enough to get around this an use a small webmail provider then you're smart enough to not download a virus as well.
If you're on a network where someone (other than you) gets an alert if your virus scanner detects something, *do not* download that file because it is identified as a 'zipcrash' trojan.
I work a financial firm. All attachments are pulled out of the messages by the firewall software they use and put in a quarrantine. The receipient receives the message, sans attachments, along with an explanatory note that if they need the attachments they need to send a message to the keeper of the mail system with a business reason why they need those attachments. Those people will then send them the actual attachments.
Our company was vulnerable when Sobig first came out. I got the first e-mail into the company and noticed it was a virus and that it had gotten through our defenses so I went and downloaded the latest dat file for anti-virus for exchange and that particular zip was then getting quarentined. We can't block zips in our company because that is the only alternative to letting our users send exe's and other file extensions that are blocked.
Seems it also replaces "viruses" with "virii"....
(C'mon, "viri" I can understand, but who's the knucklehead that thought up "virii", and why does this spurious plural spread as if it were itself a virus?)
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delendae sunt RIAA, MPAA et Windoze
Hotmail attachments are automatically scanned via Mcafee.
Here's what we do:
1. Use Symantec Antivirus for SMTP Gateways 3.1. Blocks spam by subject, sender, multiple RBLs and heuristic antispam and has whitelist support. Scans for viruses and attachments can be deleted by filename with wildcards. I block anything that is executable in a Windows environment (since we use Windows, Exchange and Outlook -- no flames, please). Any file deleted gets a .txt file added to the message stating that <filename> is not allowed for security reasons. This means that if anyone needs to send a .exe, .cmd, .bat, .vb?, .cpl, .dll, and a number of others must first call so I can temporarily disable the deletion.
2. Use another company's antivirus on the mail servers. We use Sybari with multiple scan engines. This saved us this past week when the new FortNight.E managed to get past SAV for SMTP because it didn't detect it yet and it was essentially a script embedded in an html. (I'd love to strip them, too, but too many legitimate emails come through as html.) Sybari caught it after Symantec missed it.
3. Use another antivirus package for clients and servers. We use SAV Corporate edition with a master server setup so that one server d/l's updates from Symantec nightly or when I force it. Each remote location's server d/l's from that server nightly or when I force it. Each workstation d/l's from their location's server every 4 hours.
Since starting this practice, we've had a total of 2 viruses make it into our network. One was on a laptop that, for some strange reason never got antivirus installed and it was infected at the user's home. The virus never got further than that, but it took a while to discover where the virus alerts were coming from when it attempted to infect other machines. The other one had a corrupt install of the desktop antivirus and the end user didn't let us know that something didn't look right on his client. He then fell for the e-card virus (Go to this URL to download the greeting card X sent you.). Again, never got further than this one workstation. This is all the infections we've seen in over 2 years. Not bad for a 1500 user network.
But why is the rum gone?
Simple, only allow password protected ZIP files. Won't solve all of your problems, but it will still allow your users to receive needed files.
Luck
Mick
I have a very small mind and must live with it.
-- E. Dijkstra
The plural of Ford cars is a crash....
Evolution of Language Through The Ages: 6000 BC : ungh, grrf, booga 2000 AD : grep, awk, sed
I don't normally get attachements as zip's but I have had to once or twice. If our company blocked zip files I would have never been able to debug the zipped core file one of our clients sent to me.
I think the real solution is maybe to use a 'quarantine' system. Where attachements can be held instead of blocked. Also make sure that you have a virsu scanner on EVERY PC on your network. The virus scanner we use does auto update, I think it is Macafe(sp) and it can be administered remotely and update everyones machine and schedule scans on their machines as well. It works pretty well.
Only 'flamers' flame!
Does slashdot hate my posts?
That'll really cut down on your virus problems.
OS Software is like love: The best way to make it grow is to give it away.
how did you make that file? I'm mostly confused as to how you convinced winrar that a small rar has multiple 4GB files inside it. I'm sure its something obvious but please explain anyways
[Fuck Beta]
o0t!
...that no one uploaded a zip bomb. For the uninitiated, that's where you make a huge file or series of files containing nothing but a single character (e.g. a null character) repeated millions/billions of times over and then compressed. Since such perfectly repetitive data compresses so well, it's easy to upload the resulting small file (on the order of a few dozen kilobytes) and wait for the server to get thrown off unzipping it.
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
Digital signatures verify the authenticity of the email, but come in as an attachment. Stripping these off is counter to your intent, maintaining security.
Can You Say Linux? I Knew That You Could.
Surely attachments are part of some rfc somewhere, and blocking them is rfc incompatable - though I guess blocking spam would be...
Anyway, we outsource some of our work - and so we need to be able to send zip files. But we do scan all emails - incoming and outgoing, and we install antivirus software on every computer in the company - with central reporting.
However, you really need to update every day - if not more often. And, there can be problems with encrypted files. Oh, and a firewall can also block any backdoors that virii create.
And yes, the plural of virus is virii.
Yes, sometimes translation will be disappointing, but you probably didn't need the formatting junk anyway. Besides, once it's in an OpenOffice format, you can file it in a system with a search engine.
Google ought to sell something like this as a product, since they already do most of those translations.
Do not use Outlook but use Mozilla-mail.
What we did was had a look at the advisory from Mcaffee, and set up our email scanner to block attachments with that particular name, also sending out an email to all staff regarding the new virus helps raise awareness.
I work for a bank processing company, I won't say which one, but I can ensure you thats its one of the largest. And while we can transfer some files via email, we've started switching to a policy that almost all files that are sent to/from clients are done via FTP.
much more secure, and ensures that the file(s) actually get to the client.
just one way things are better...
harryk
think before you write, it'll save me moderator points.
boom boom....very funny...
Pfft - Sorry, what?
It digs IIRC up to 9 levels deep in zipfiles, etc. It is immune to zip bombs. Block zips - what no AV can do is clean ENCRYPTED zipfiles. So educate your users to encrypt to get it past the scanner.
3. Profit!
I want to delete my account but Slashdot doesn't allow it.
My washroom policy: I handle dirty computers all day so I wash my hands before I handle myself.
Why on earth do we care?
- Create a 67 meg ASCII file with nothing but a single repeating character. Here's an three line command-line (DOS) batch file to do it:
- Run the batch and copy off "punkd1.txt" to another name.
- Make several copies of the file.
- Zip them all into your "package 'o death." Due to the simple structure of the file, it will zip down quite a bit (close to 99%) if you use maximum compression.
- Deliver the package to your victim.
When the ZFS tries to unpack the files to scan them, it blows its swap space.(note that the second line is long and may wrap on your display)
Yeah, right.
The correct latin plural for virus is /not/ virii. Virus was not a countable concept, since it meant "slime" or something similar.
The whole VM issue is a good one, however one also has the whole 80/20 rule. One of the reasons why the Java VM is sometimes slow is because they try to do too much in the VM. For instance, if you use a Python GUI program, it is fast because most of the low-level stuff in Gtk is still written in C. In Java, this goes much deeper and some really low level things are still run in the VM and this makes it slow. Java is more of a 80/20 thing that tries to put 90% of the 20% into the rest of the original 80% which is not always such a good idea.
That said, another solution to the problem is for a program to attach a proof of its ow behaviour with it. This is an interesting avenue which is currently beginning to be explores in academia. Search on Google for TAL and Proof Carrying Code to see some papers.
Basically, a program carries a proof that the computer can verify that is does not cause harm. Java VM's do this in a limited sense, the PCC groups are AFAIK extending some ideas to normal x86 assembler as well as taking it much further. This is also some way of forcing some more serious formal methods on to programs: IF the program cannot prove that it does what is is supposed to do, you do not run it.
It is obviously still several years into the future, but the idea is there and there is quite a bit of research going on at the moment.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
It's simple, we have a script check incoming emails for restricted attachment types (eg. .exe files), and rather than delivering them, or dumping them entirely, it places the attachment in a quarantine area, and sends the user an email saying that their email had been quarantined.
If, as in most cases, the attachment was a virus, or something the user wasn't supposed to be opening anyway (eg. greeting cards in executable files), it sits in quarantine until it reaches a certain age, and then it gets deleted.
If it was a legitimate file, we get a call requesting the file be delivered, we double check that it's safe, and then bounce the full email to them (through a restricted use path that avoids the quarantine check).
As long as you have a quarantine area, you can safely be draconian about adding to the list of attachments that don't get delivered.
----
Open mind, insert foot.
The problem with this is that email is a directed delivery system, whereas with anon FTP it can be a real pain to have failes that can only be read by certain users/groups.
For example, if I am sending a zipped copy of my financial reportsto a remote location, or something like that. How do I put the files on the anon FTP without everyone in the company (assuming FTP is restricted to internals) being able to read the file - unless you have little sandboxes for individual FTP recipients (upload OK, read requires proper userID).
Of course, if you have a system with login-names, etc associated with FTP then it's good - but in that case you could just use a fileserver location with Samba, NFS, etc.
Funny how that didn't seem to stop several of my family members from getting infected by a virus. I even went and looked at their hotmail in Boxes and sure enough the virus infected e-mail was still in the inbox..
I am not sure if Mcafee is to blame or Microsoft but this was like 2 days after that particular virus had been reported.
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
PGP works and works well. It will allow the sender to be positively identified. Force such attachments to be at least signed so that an infected PC can be identified.
Fidonet had modules to allow zip files to be virus scanned, your mail gateway should too or you should dump it.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Of course, any machine might be configrued to execute anything, but you should also consider these common executable types:s c
msi
cpl
crt
esc
inf
ins
isp
mde
m
msp
mst
ocx
pcd
sct
vb
wsf
wsh
Recycle PCs and build a wireless community network www.hillsborough.org.nz
Why was that message mod'ed up? It contains incorrect information.
"radii" is plural of "radIus", "virii" would be plural of "virius", if there was such a word. But hey, it's actually "virus", not "virius".
Yes, apart from the grammatical problems, you are hinting at the problem that perhaps we do not need a plural for "virus".
That might be true for a translation like "slime", but it is not true when seeing a virus as a disease-causing agent, as we do nowadays.
Besides, pluralforms of not countable things exist. One beer, two beers. "Informationen" (German) vs "information" (English). Again, I'd recommend you this book I've been talking about (Words and Rules).
And yes, BTW:
virus -i n. [slimy liquid , slime; poison, esp. of snakes, venom; any harsh taste or smell].
Taken from here. Can anybody confirm this? Virus, -i, neutrum? What kind of declination is that?
We also run Trend Scanmail, and after a couple of our new Windows XP machines auto-executed the contents of some zip attachments, we decided that we have to block zips as well. The Sobig.E virus we got was inside nested zips 8 levels deep.
We just now tell our users to rename their zipfiles to *.ZZZ instead of *.ZIP and attach them to get around the zip blocking.
Canada: Drink strong, pissy-tasting beer
UK: Drink warm, beery-tasting piss
Switching to single malt whisky?
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
most AV products can handle .zip files, as well as .gz .rar .cab .jar, so do TrendMicro, as a previous comments pointed out, it's a matter of update the signature/pattern/definition files.
he is asking if we should be blocking ZIP files?
not "how can we block ZIP files?"