Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Allow or Not Allow E-Mail Attachments?

Posted by Cliff on from the that-is-the-question dept.

t0pper311 asks: "I work for a pretty large utility company in the midwest and of course, security is a big concern. We use Trend Micro as a mail gateway to basically scan for virii and strip off most attachments like executables or VB script. Now with the Sobig.E virus on the loose, we need to ask ourselves if we should be blocking ZIP files. We got lucky this time and were not effected, but what about next time? What are other companies doing? If you do block ZIP files, how do you give the people who need to sends files the ability to do so? Do you allow any attachments at all?"

20 of 197 comments (clear)

  1. Or... by BrokenHalo · · Score: 2, Interesting

    You could just let everyone catch every virus going for a few months, then offer them a real computer that doesn't get viruses. I wonder how many people would get the message.

    1. Re:Or... by Artana+Niveus+Corvum · · Score: 2, Interesting

      On the other hand though, in a corporate environment you'll find that there are a suprising number of users that are simply ineducable. They know how to use Word only in that if they click on the icon it opens and they can type stuff. If you try to teach them more (or have them sent to external training), you may very well have just wasted your time and money because the user thinks "I can do my job, I don't need the extra information" (though I do occassionally question that the thought is that coherent). A truly suprising number of users will actively reject any training that you throw at them for fear that their weaknesses might be exposed and/or they might be required to do "more" work (i.e. that work which is already in their job description). The problem is most obvious in environments where this level of skill (if it can be called that) and this type of attitude is considered adequate and acceptable.
      Say what you will about how such businesses simply shouldn't hire people like this. That's fine, I agree with you. However, this is not a factor that the IT department can often (ever?) control. We are simply instructed to "deal with it" then are burned for any feet (heads) we have to step on to get the job even started, much less done. It's extremely hard to counter attitudes and ignorance like that when you have neither the honey nor the stick to back your "suggestions."
      What to do about these users then? Once they figure out how to open up their email program they delight in running every "screen saver" and "cute picture" that they come across. The speed of the antivirus companies in releasing product updates can by no means match the universal "Speed of Stupid" (yes, I just used "stupid" as a noun, deal with it). You can't cut them off from their email or you'll catch the fires of Hell when their boss talks to your boss's boss about how you've been misbehaving for no reason. You can't even limit the attachments that they can receive or they'll scream bloody murder at a boss who is very probably more technologically inept than they themselves are. "Sally VirusWriter sent me a cute picture and I can't open it because the IT department is being an evil asshole! Waaaa!!" You're lucky if you even get to install an antivirus on their machine... "it slows the computer down! Waaaa!!" (ignoring the fact that they have a 2.8Ghz P4 w/512MB of ram....).
      Your next suggestion will be "get a different job," however you know as well as I do the state of the market for such things.
      So, realistically, what do you do? I've considered blocking the entire email when it contains a virus rather than just the attachment, that would keep Tech_dummy0 happy because they'd simply never see the email and wouldn't have the opportunity to bitch because they can't open the *.pif attachment.... grrrrrrr to people....

      Okay, I'm done now.

      --
      -----------------------------------------
      Remove the Greed which plagues mankind.
  2. Better Scanner... by NetJunkie · · Score: 2, Interesting

    Get a better scanner. I can't recommend Sybari's Antigen enough. It uses multiple virus scanner engines and has great filter support. It also opens up archive files and scans inside of them.

  3. er, why not use a proper AV product? :-) by MightyTribble · · Score: 2, Interesting

    We use Symantec for Microsoft Exchange. It'll scan and clean files within zip files. SoBig.E has not been a problem for us (aside from the fact that we're running MS Exchange, of course).

    That said, I was surprised to find one of the largest employers in MA doesn't have *any* AV protection on their Exchange servers, and had quite a bit of downtime as a result. So I guess AV on mail servers aren't as commonsensical as I thought... ;-p

    Running Exchange is bad enough, but do-able. To run Exchange *without* decent, up-to-date AV software is just incompetent.

  4. What if by altp · · Score: 2, Interesting

    what if you choose to block email attachments completely, could you set up a respository on a computer. Have people drop attachments there, and as they finish their uploads scan them for viruses before making them visable for people to download. People could log in with their email addresses (on your side), and there could be guest accounts generated for people on the outside to get files in and out.

    the guest accounts could expire after a time frame, or a number of uses, or whatever.

    Altp.

  5. I think we check inside zip files by Kris_J · · Score: 2, Interesting

    From memory, MailScanner (ours uses the F-Secure engine) looks inside zip files. No biggy.

  6. Re:Set up a sandbox. by GiMP · · Score: 2, Interesting

    Yeah, it is called Unix.. Run it as a non-root user. The worst that happens is that that user's data is stolen or deleted (credit card numbers, etc)

  7. Re:Why by jshare · · Score: 4, Interesting
    Well, you can run into trouble if you try to scan this zip file.

    I forget the exact stats, but it decompresses out about 7 levels deep, 16 files per level, and 4gig files at the last level. So, that's a lot of unzipping your virusscanner would be doing.

    Granted, you could probably give it a checksum for this file in particular, but there are always variations on the theme.

  8. Re:Safe file exchange should be a *feature*! by RzUpAnmsCwrds · · Score: 2, Interesting

    Welcome to .NET - I know I'll be flamed, but this is what Microsoft's new technology is about: bringing Java-like security to every application (Microsoft calls it "Managed" code).

  9. Re:Set up a sandbox. by dfgdfgdfg · · Score: 4, Interesting
    This is an important point. Why should running an executable be dangerous at all? is it really that difficult to set up a sandbox (a la the JVM) for users to run untrusted executables in? There may be some more hassle involved, but it could be implemented fairly transparently.

    Exactly! Files that are executed should always be executed in a sandbox, except if the reside in "/usr/bin" or other system directories. If the common file managers/ email client did that, there would be no problem sending exes per mail.

    Someone should implement the following: A program "nobody" that executes a command line and traps all system calls. When the child process does a system call, it asks the user e.g. "The program wants to open a connection to c32x.com. Allow?". If the user answers "No", the system call just returns -1. You could invoke it just like "nice" or "nohup". That should solve the email-attachment problem. Programs like "strace" already trap system calls, so this must be possible.

    --
    -- 1.e4 c6 2.d4 d5 3.Sc3 de4: 4.Se4: Sd7 5.Sg5 Sgf6 6.Ld3 e6 7.S1f3 h6 8.Se6:
  10. Re:Safe file exchange should be a *feature*! by Muggins+the+Mad · · Score: 3, Interesting
    Welcome to .NET - I know I'll be flamed, but this is what Microsoft's new technology is about

    Yes, and god forbid they actually get it right. The free software world needs to snap out of it's smug "UNIX is secure" stance and do something to bring it into this millenium. I want to run executables from random places. As part of my job I actually need to. I don't currently have an OS where I can do that. I would hate for the first one that lets me to be from MS.

    - Muggins the Mad

  11. Re:OS by sql*kitten · · Score: 4, Interesting

    Why do you make so many accommodations for the failures of the OS? Isn't the OS supposed to work for you, instead of you working for it? How many features do you have to shut off before it's not worth the considerable cash you paid for it?

    Clearly you lack an understanding of the issue. This is nothing to do with OS. The issue is one of users running executables they are sent via email. If (insert your favourite Linux email package here) allowed a user to double-click an attached .sh file, then the problem would also exist on Linux.

    Outlook was designed to be scripted so you could use it to build your own workflow . If you don't need this feature, switch it off! Complaining about exposed but unused functionality being abused is that same as complaining that it's Linux's fault of all the daemons are started at boot and someone roots you though BIND.

  12. Re:OS by Zork+the+Almighty · · Score: 3, Interesting

    Don't files on Linux default to non-executable ? Your point is well taken though. And I would say it's the Linux distro's fault if it enabled all these useless services by default and left me vunerable.

    --

    In Soviet America the banks rob you!
  13. Re:Safe file exchange should be a *feature*! by joto · · Score: 2, Interesting
    There's no reason raw machine code needs to be dangerous at all. Modern computers (even PCs) have decent memory protection that'll stop user programs from having direct access to hardware and force them to go through the OS.

    Yes, this was the first option I mentioned.

    The OS can decide what the user program is allowed to do. Whether it's opening network connections, allocating more memory, writing to screen or file, it *already* goes through the OS anyway. So it's not much of a step to put a few security checks in there.

    Putting some checks there is not hard. Making it useful is hard. At the level of system calls, it is very hard to say what a program should be allowed to do in a way that would be useful for an end-user. Let's take a simple example: if you grant it access to the windowing system, how would you limit it to e.g. not controlling other applications through synthetic button and key events?

    There is a reason we don't have this kind of security today. It is very hard to get right. Only with a higher-level security architecture, such as java, is it possible to make useful checks about what a program is allowed to do, and what it is not allowed to do. If it is at all possible at the level of system calls, it would be very hard to control in an intuitive manner.

    Raw machine code executables are bad because they aren't cross platform, but I don't see why they are necessarily a security issue under a secure OS

    Trouble is, there is no such secure OSes that are anywhere close to usable. But there is a lot of research going on in this area. In 10 years, maybe someone will make one of those research OSes into something close to useful. Personally, I find it unlikely, however. There is always a tradeoff between speed, flexibility, and security. Raw binaries is one end of the spectrum, and I don't think they are going away. But there is nifty research going into things like typed assembly languages, etc, and I may be proven wrong (at least I hope so).

    Only in the current climate of insecure operating systems. I *want* people to be able to send me cute little applications or games, or interactive data files. Why should we be limited in what we can do because people are so used to the inadequacies of current mass products when there isn't really a technical limitation at all?

    Because, there really isn't any realistic alternatives. Any mainstream OS is as vulnerable to the same kind of attack. There are two reasons this doesn't happen however: First; writing effective email-viruses for other platforms than windows is harder, because everyone uses different setups, and different mailclients. Secondly; Their users are generally more knowledgeable. But none of these reasons is technical.

    If you want to exchange cute games and toys, send them as java applets, or flash swf-files, or whatever you feel would be reasonably secure.

  14. Re:You get a virii scanner that can deal with zip. by Jucius+Maximus · · Score: 5, Interesting
    "Given that most users love to download crap via hotmail etc. , lets hope you have a virus scanner on their PC too."

    That is true. At one company I worked (with several thousand employees) there was an virus outbreak every one or two weeks on the corporate network.

    This reduced to once or twice per year after they blocked off hotmail, yahoo mail, lycos mail, ICQ, AIM, etc. And really, if you are smary enough to get around this an use a small webmail provider then you're smart enough to not download a virus as well.

  15. They were lucky... by Dthoma · · Score: 4, Interesting

    ...that no one uploaded a zip bomb. For the uninitiated, that's where you make a huge file or series of files containing nothing but a single character (e.g. a null character) repeated millions/billions of times over and then compressed. Since such perfectly repetitive data compresses so well, it's easy to upload the resulting small file (on the order of a few dozen kilobytes) and wait for the server to get thrown off unzipping it.

    --

    Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".

    1. Re:They were lucky... by HBI · · Score: 2, Interesting

      This did happen back in the Fidonet days. "The Infinity Bomb" was a Net 107 (NY/NJ) legend. There was a jerky sysop named Bob Moravsik who got a zip bomb uploaded to his Fido mailer. Knocked his system offline until he got back to it. Never forgave the culprits (some of his fellow Fido sysops who hated his guts)

      It was funny back then because he was such an anus, but today ...you need to validate zip files imho. Not a technically hard job really. I did some surgery on Zip files back when (wrote a utility called zipc that would add comments to the files). The format is fairly simple.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  16. Digital signatures by macemoneta · · Score: 2, Interesting

    Digital signatures verify the authenticity of the email, but come in as an attachment. Stripping these off is counter to your intent, maintaining security.

    --

    Can You Say Linux? I Knew That You Could.

  17. Re:OS by alangmead · · Score: 3, Interesting

    The part where the OS gets involved is when it uses the same mechanism to associate documents with their application as they do interpreted code with their interpreter.

    MIME has a Content-Type mechanism to describe data. In the original MIME specification the authors stated

    The "application" Content-Type is to be used for data which do not fit in any of the other categories, and particularly for data to be processed by mail-based uses of application programs. This is information which must be processed by an application before it is viewable or usable to a user. Expected uses for Content-Type application include mail- based file transfer, spreadsheets, data for mail-based scheduling systems, and languages for "active" (computational) email. (The latter, in particular, can pose security problems which should be understood by implementors, and are considered in detail in the discussion of the application/PostScript content-type.)
    and
    Security considerations: This type is intended for the transmission of data to be interpreted by locally-installed programs. If used, for example, to transmit executable binary programs or programs in general-purpose interpreted languages, such as LISP programs or shell scripts, severe security problems could result. In general, authors of mail-reading agents are cautioned against giving their systems the power to execute mail-based application data without carefully considering the security implications. While it is certainly possible to define safe application formats and even safe interpreters for unsafe formats, each interpreter should be evaluated separately for possible security problems.

    Just because the designers of outlook essentially ignored the data description features of MIME didn't mean they had to ignore the warnings of the dangers of executable content. There is no reason why a mail reader should associate a .sh file, or an application/x-shell-script file with a general purpose interpreter, and the people who invented MIME knew this and warned about it.

    There is no good reason for a mail program to run hand executable content off to the OS or an interpreter.

  18. How to break zip-file scanners by Safety+Cap · · Score: 3, Interesting
    The problem with ZFSs is that they can be broken easily. Here's one way to do it:
    1. Create a 67 meg ASCII file with nothing but a single repeating character. Here's an three line command-line (DOS) batch file to do it:
      echo aaaaa > punkd.txt

      for /l %%b in (0,1,11) do copy /y punkd.txt + punkd.txt punkd1.txt && copy /y punkd1.txt + punkd1.txt punkd.txt

      del punkd.txt
      (note that the second line is long and may wrap on your display)
    2. Run the batch and copy off "punkd1.txt" to another name.
    3. Make several copies of the file.
    4. Zip them all into your "package 'o death." Due to the simple structure of the file, it will zip down quite a bit (close to 99%) if you use maximum compression.
    5. Deliver the package to your victim.
    When the ZFS tries to unpack the files to scan them, it blows its swap space.
    --
    Yeah, right.