Slashdot Mirror
To Allow or Not Allow E-Mail Attachments?
t0pper311 asks: "I work for a pretty large utility company in the midwest and of course, security is a big concern. We use Trend Micro as a mail gateway to basically scan for virii and strip off most attachments like executables or VB script. Now with the Sobig.E virus on the loose, we need to ask ourselves if we should be blocking ZIP files. We got lucky this time and were not effected, but what about next time? What are other companies doing? If you do block ZIP files, how do you give the people who need to sends files the ability to do so? Do you allow any attachments at all?"
Pretty simple really.
Given that most users love to download crap via hotmail etc. , lets hope you have a virus scanner on their PC too.
I think if people insist on running software that is vulnerable to these kinds of attacks then yes, you do need to stop these people using attachments completely.
If we do need to send files to each other as part of our business then surely that's a major feature that our application environment needs. If our chosen solution doesn't let us do that without an enormous amount of hassle and risk, then maybe it's time to make other tradeoffs and choose a client that does.
And if we have to choose between an email client with nice scheduling/calendaring and one that lets us receive file attachments safely, then that's a *decision* that must be made based on business needs. Which is more important to your task? Is there a way to have both? Will we accept the risk and hassle of virii to get nice calendaring, or will we use clumsier calendaring and have safe file attachments?
Only when people start making these conscious decisions en masse will we start seeing applications (including OS/hardware/whatever) that provide all the features we need to do our jobs.
The current climate of "how do we shore up the inadequacies of our chosen software?" isn't helping things improve.
Nice calendering *or* safe file attachments. Choose. If someone offers a product that does both. Cool. We all win.
- Muggins the Mad
I think that if a user opens an attachment from a random source, that came with no explanation, with a funky name like the ones in the write-up (see article link), then that's their own fault.
Filtering out legitimate attachments is not very good policy to protect against virii. You'd be -much- better off spending a few minutes educating employees in a "Virus Prevention" seminar or something. Show them that opening emails like that is not intelligent, and that way, it's not as much of a problem.
10 years ago, on BBS (bulletin board system), every time someone uploaded something, the system automatically unpacked the { zip | rar | arj } on a temp directory. Then the content of the archive were automatically checked for virii with *MANY* anti-virus like MacAfee, FProt and MSAV (if the BBS were DOS-based). If the archive passed the test, it was made available to download by other user. Then, the temp directory was cleaned.
IMHO, email is not a file transfer medium; sure you can send little things with it, but it's just not useful for any real kinds of file transfer.
Personally, I think you should set up an FTP that is open anonymously to everybody in your company, and then disable attachments so that people have to upload to the ftp, then email the link around.
This is an important point. Why should running an executable be dangerous at all? is it really that difficult to set up a sandbox (a la the JVM) for users to run untrusted executables in? There may be some more hassle involved, but it could be implemented fairly transparently.
Don't knock HTML email. It makes my life easier, since I
While you may have been lucky and escaped the Sobig.E virus, unfortunately it appears that you have been infected with the 'affective disorder' virus.
This cunning virus sniffs all your outgoing email and replaces 'affect' with 'effect' and vice versa. So while we know that you wrote "We got lucky this time and were not affected...", this malicious virus made it appear on slashdot as though you are 'affectively disordered'.
I forget the exact stats, but it decompresses out about 7 levels deep, 16 files per level, and 4gig files at the last level. So, that's a lot of unzipping your virusscanner would be doing.
Granted, you could probably give it a checksum for this file in particular, but there are always variations on the theme.
You should make sure that your bounce messages go to the right place. I've received countless messages informing me that my attachment was stripped because it contains the Sobig virus. The second thing you should do is to make sure that the full headers of the message get inserted into your bounce.
The funny thing is that I run only Linux on my domain, and I never e-mailed those people anything. It's very unlikely that Sobig can run on Linux. And I can't do anything about it because I don't have any headers to track down the source of the mails. Nobody's answered my requests for them either.
If tits were wings it'd be flying around.
Here's what I did with postfix.
/^(Content-(Type|Disposition):.*|\s*(file)?)name=( "[^"]*|\S*)\.(ade|adp|bas|shm|cmd|com|dll|hlp|js|j se|exe|com|chm|hta|jse|reg|shb|shs|vbe|vbs|vxd|scr |pif|bat|lnk|dll|vbs|js|mp*)\b/ REJECT
/^(Content-(Type|Disposition):.*|\s*(file)?)name=( \S*your_details)\.(zip)\b/ REJECT
in my main.cf created a line that says
body_checks = pcre:/etc/postfix/extensions
then created a file called extensions that looks like this:
The first line (yes it's all one line) blocks all executable files from entering the server. The second line block the only version of sobig that we received. Actually we received 2 modifications...one attachment was called your_details.zip, and the other was 'your_details.zip the ' allowed it to get around the filter, hence the wildcard.
The key is, to inform your users over and voer not to open things from people they don't know or aren't expecting. If you start blocking zip's you might as well block all attachments.
/* oops I accidentally made a comment, sorry */
This, and similar issues, have cropped up at a few of our customer sites over the years. There are situations where bringing in (documents/zip files/spreadsheets/etc.) are an essential part of making organisation function.
Whilst you can implement technical countermeasures to reduce your security risk somewhat, such as installing virus checkers that are able to unzip/unarj/unrar, keeping virus signature definitions up to date, quarantine incoming attachments.. etc, you really need to compare your security risk profile, with the business risk associated with NOT receiving these attachments.
This would normally be the function of your organisational risk assessment - it would compare the likely harm of virus infection, against the loss of capability as a result of not receiving the documents/zip files in question.
Which way you go, really depends on the threat/risk/harm/countermeasure equasion, which is unique to your organisation. However, a quick 'cheat' check:
* How badly is it going to hurt your organisation overall, if attachments don't come in?
* Do you have the resources to quickly clean up a virus attack if one makes it through?
- If you're a small organisation, with adequate IT staff numbers, and receiving attachments is pretty essential to your normal business... it's probably worth allowing things through.
- If your IT staff numbers are limited such that a virus attack would be a major cleanup effort, or attachments aren't all that critical, then block them, or quarantine them by redirecting them to technically literate help-desk users (who can forward them internally after checking them out).
However, make sure that you make it relatively painless for users to get their files. If you're really anal about things, they'll just open up a hotmail/yahoo/whatever account, ask people to send attachements there instead, and download just like a normal web link.
Red.
Why do you make so many accommodations for the failures of the OS? Isn't the OS supposed to work for you, instead of you working for it? How many features do you have to shut off before it's not worth the considerable cash you paid for it?
.sh file, then the problem would also exist on Linux.
Clearly you lack an understanding of the issue. This is nothing to do with OS. The issue is one of users running executables they are sent via email. If (insert your favourite Linux email package here) allowed a user to double-click an attached
Outlook was designed to be scripted so you could use it to build your own workflow . If you don't need this feature, switch it off! Complaining about exposed but unused functionality being abused is that same as complaining that it's Linux's fault of all the daemons are started at boot and someone roots you though BIND.
Sobig.E came out before the virus scanners had signature updates. When viruses spread so fast these days about all you can do is push your email through MessageLabs who have never let a virus through to a customer due to their custom AV scanner which uses heuristics instead of signatures.
Your point about not relying on any one point of access is well taken though - all entry points need to be protected in one way or another.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
That is true. At one company I worked (with several thousand employees) there was an virus outbreak every one or two weeks on the corporate network.
This reduced to once or twice per year after they blocked off hotmail, yahoo mail, lycos mail, ICQ, AIM, etc. And really, if you are smary enough to get around this an use a small webmail provider then you're smart enough to not download a virus as well.
Here's what we do:
1. Use Symantec Antivirus for SMTP Gateways 3.1. Blocks spam by subject, sender, multiple RBLs and heuristic antispam and has whitelist support. Scans for viruses and attachments can be deleted by filename with wildcards. I block anything that is executable in a Windows environment (since we use Windows, Exchange and Outlook -- no flames, please). Any file deleted gets a .txt file added to the message stating that <filename> is not allowed for security reasons. This means that if anyone needs to send a .exe, .cmd, .bat, .vb?, .cpl, .dll, and a number of others must first call so I can temporarily disable the deletion.
2. Use another company's antivirus on the mail servers. We use Sybari with multiple scan engines. This saved us this past week when the new FortNight.E managed to get past SAV for SMTP because it didn't detect it yet and it was essentially a script embedded in an html. (I'd love to strip them, too, but too many legitimate emails come through as html.) Sybari caught it after Symantec missed it.
3. Use another antivirus package for clients and servers. We use SAV Corporate edition with a master server setup so that one server d/l's updates from Symantec nightly or when I force it. Each remote location's server d/l's from that server nightly or when I force it. Each workstation d/l's from their location's server every 4 hours.
Since starting this practice, we've had a total of 2 viruses make it into our network. One was on a laptop that, for some strange reason never got antivirus installed and it was infected at the user's home. The virus never got further than that, but it took a while to discover where the virus alerts were coming from when it attempted to infect other machines. The other one had a corrupt install of the desktop antivirus and the end user didn't let us know that something didn't look right on his client. He then fell for the e-card virus (Go to this URL to download the greeting card X sent you.). Again, never got further than this one workstation. This is all the infections we've seen in over 2 years. Not bad for a 1500 user network.
But why is the rum gone?
...that no one uploaded a zip bomb. For the uninitiated, that's where you make a huge file or series of files containing nothing but a single character (e.g. a null character) repeated millions/billions of times over and then compressed. Since such perfectly repetitive data compresses so well, it's easy to upload the resulting small file (on the order of a few dozen kilobytes) and wait for the server to get thrown off unzipping it.
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".