FYI: Are you still looking for an excuse to block executable attachments?

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 01/27/04

  • Next message: Nick FitzGerald: "Re: FYI: Are you still looking for an excuse to block executable attachments?" 
    Date:         Mon, 26 Jan 2004 23:47:37 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I could tell you about a few really dumb email virus attacks that are
    attempting to deliver executable attachments, or even better if you
    really need to show how dumb you can be, executables within zip
    attachments, but then if you needed to hear about it from me, you
    probably wouldn't be able to do anything with the info. Granted, there
    are new members to this list who many not know about such things, but
    honestly, blocking attachments is really such a basic thing it shouldn't
    have to be mentioned.

    The Internet is busy with people who don't get this, what a shame.

    Remember, Anti-Virus doesn't stop viruses, it limits them. Only you can
    prevent forest fires...so only you're employees who are so clueless can
    cause them for you.

    Sorry to be harsh, but to see AV people scrambling over this latest wave
    is, well, pathetic. Here's a thought, take the BadURLs script code I
    provided to the list at Christmas and modify it to look for attachments,
    any attachment. Strip the attachment from the email and replace it with
    a link to a website, but only if the user who the email is going to has
    an AD attribute that gives them permission to receive such attachment
    (create attachment groups and populate them, then do an AD lookup to see
    if the email address recipient is a member of that group, again not
    rocket science.) If not, just strip and drop the attachment. If yes, put
    it on a webserver instead of delivering it in email.

    Better still, unzip it (Winzip have an API you know) and then scan the
    contents for attachment types you're blocking...IOWs, just because its
    zipped doesn't mean you accept such attachment types from Internet
    sources. Too bad AV products are too dumb to do this, no wonder some
    malcode writers have chosen to deliver the same old executable inside a
    zip, they realize it'll get farther than plain attachments (but then
    again, there was bagle last week.)

    Here's another thought, give Zimmerman his due and don't accept anything
    that isn't PGP encrypted, first to a common key for your mail server
    app, then to the recipient!! Wow, what a concept.

    Ok, all that too much for you? Drop all attachments, plain and simple.
    Either that or take the computer away from your, um, less than bright
    users...;-]

    Cheers,
    Russ - NTBugtraq Editor

    -----
    NTBugtraq Editor's Note:

    I'm looking for an event at which I can speak in Australia, specifically near Brisbase, as close to Christmas as possible. Anyone interested in flying me down under at that time, please contact me at Russ.Cooper@rc.on.ca
    -----

  • Next message: Nick FitzGerald: "Re: FYI: Are you still looking for an excuse to block executable attachments?"