Re: Are you still looking for an excuse to block executable attachments?

From: Weaver, Colin (colin_at_ITDOJO.COM)
Date: 01/27/04

  • Next message: Ames, Neil: "Re: FYI: Are you still looking for an excuse to block executable attachments?" 
    Date:         Tue, 27 Jan 2004 11:02:31 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Russ,
     
    Truth: Executables (amongst other things) should be dropped from email messages. This is so true you could put it in an RFC. Until the day comes that AV products can easily launch executable attachments in a virtual machine, observe its behavior and them make a decision about whether it is safe or not we are stuck with this truth.
     
    Truth: Someone has to say this: This collection of networks IS NOT JUST FOR GEEKS. Dropping ALL attachments is silly. Commerce takes place here. Commerce frequently involves attaching stuff to emails. Our charge as security people is to help users have secure conversations, limiting what they can send only when absolutely necessary (such as executables). We should be as transparent as possible.
     
    Truth: As you mentioned, there are many new members of this group who either 1) have just recently learned this or 2) are learning it as we write.
     
    Truth: As an educator in the IT field I consder it a duty to make sure anyone interested in making it in this field get themselves on this list. The topics discussed on NTBugtraq are invaluable and always ahead of the general media (SQL Slammer and Code Red come quickly to mind).
     
    Opinion: Why is it that this industry insists on educating its newer inductees by flaming them for things they don't know? I see this a lot in the various Linux forums on the net. Each time someone asks a question that is "obvious" they seem to get berated for not already knowing such trivial information and essentially told to stop playing with things they don't understand. Your post bordered on this same tone.
     
    Truth: Your list constantly has new members. You started this thing so you are the "facilitator of information dissemination"... a teacher. Teachers don't have the luxury of insulting each new class of students for not knowing what they taught the last crop.
     
    -Colin Weaver
    ITdojo
     
    P.S. - Please send all flaming responses to colin@itdojo.com
     

    ________________________________

    From: Windows NTBugtraq Mailing List on behalf of Russ
    Sent: Mon 1/26/2004 11:47 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: FYI: Are you still looking for an excuse to block executable attachments?

    I could tell you about a few really dumb email virus attacks that are
    attempting to deliver executable attachments, or even better if you
    really need to show how dumb you can be, executables within zip
    attachments, but then if you needed to hear about it from me, you
    probably wouldn't be able to do anything with the info. Granted, there
    are new members to this list who many not know about such things, but
    honestly, blocking attachments is really such a basic thing it shouldn't
    have to be mentioned.

    The Internet is busy with people who don't get this, what a shame.

    Remember, Anti-Virus doesn't stop viruses, it limits them. Only you can
    prevent forest fires...so only you're employees who are so clueless can
    cause them for you.

    Sorry to be harsh, but to see AV people scrambling over this latest wave
    is, well, pathetic. Here's a thought, take the BadURLs script code I
    provided to the list at Christmas and modify it to look for attachments,
    any attachment. Strip the attachment from the email and replace it with
    a link to a website, but only if the user who the email is going to has
    an AD attribute that gives them permission to receive such attachment
    (create attachment groups and populate them, then do an AD lookup to see
    if the email address recipient is a member of that group, again not
    rocket science.) If not, just strip and drop the attachment. If yes, put
    it on a webserver instead of delivering it in email.

    Better still, unzip it (Winzip have an API you know) and then scan the
    contents for attachment types you're blocking...IOWs, just because its
    zipped doesn't mean you accept such attachment types from Internet
    sources. Too bad AV products are too dumb to do this, no wonder some
    malcode writers have chosen to deliver the same old executable inside a
    zip, they realize it'll get farther than plain attachments (but then
    again, there was bagle last week.)

    Here's another thought, give Zimmerman his due and don't accept anything
    that isn't PGP encrypted, first to a common key for your mail server
    app, then to the recipient!! Wow, what a concept.

    Ok, all that too much for you? Drop all attachments, plain and simple.
    Either that or take the computer away from your, um, less than bright
    users...;-]

    Cheers,
    Russ - NTBugtraq Editor

    -----
    NTBugtraq Editor's Note:

    I'm looking for an event at which I can speak in Australia, specifically near Brisbase, as close to Christmas as possible. Anyone interested in flying me down under at that time, please contact me at Russ.Cooper@rc.on.ca
    -----

    -----
    NTBugtraq Editor's Note:

    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    -----

  • Next message: Ames, Neil: "Re: FYI: Are you still looking for an excuse to block executable attachments?"

    Relevant Pages

    • Any Utility that will allow correction of a corroupt library
      ... to the member name I will be able to delete all the bad members. ... The sender believes that this E-mail and any attachments were free of any ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
      (bit.listserv.ibm-main)
    • WINMAIL.DAT
      ... An association I belong to has some 500 plus members, ... receiving or have been unable to open, ... office that they were not receiving/could not open attachments. ... I was assured that in the open page of Outlook, the format was set for each ...
      (microsoft.public.outlook.general)
    • How to delete members of a PDS that have no data
      ... I have some members in a PDS that I have not been able to delete. ... The sender believes that this E-mail and any attachments were free of any ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
      (bit.listserv.ibm-main)
    • Re: WINMAIL.DAT
      ... Norton and MacAfee are known to strip attachments in some email clients when they are set to scan emails ... Over the last few months it has become apparent, that most have not been receiving or have been unable to open, news items and flyers for events, that have been attached to emails. ... It has been a shock to find the number of members who have never bothered to inform the office that they were not receiving/could not open attachments. ...
      (microsoft.public.outlook.general)
    • Re: attached messages
      ... > i´d like to ask about the sent messages of some members in the list ... alexander dalloz), the text message comes attached in the message ... > and not with the body message attached... ... as attachments. ...
      (Fedora)