I agree Kinnell. Allowing an archive file into the inbox of our user Tim
is not a smart idea these days.
Dave, I take it your not the email admin for your location? Ask your SA
"Systems Admin" to see the logs of the bogus attachments. How many are
actually valid attachments? I have received 7 today in 3 hours and my
network is by no means large. What does tiny Tim do when he gets the
attachment readme.zip spoofed with his domain as the sender?
My current policy allows all zips out the door but quarantines
everything coming in. If the file is valid I simply release it to mail.
Done. Yes, there is some administration but its better than tracking
worms!
Once again, until When Symantec Corp. integrates with Active Directory
to allow file attachments by user/group then maybe I can be more lenient
with the policy. For now I only have the choice to allow of block
everything. I can't trust some of the non technical users in my
organization (marketing, accounting, etc). They ask "what is this" and
forward information to the admin every time they get something they
don't recognize. This is after being trained numerous times. They are
easy prey to socially engineered email.
Thanks
AD
Information Technology Group
-----Original Message-----
From: Jonathan Loh [mailto:kj6loh_at_yahoo.com]
Sent: Tuesday, March 15, 2005 1:49 PM
To: Kinnell
Cc: David J ONEILL; security-basics_at_securityfocus.com
Subject: Re: 543.rar attachment
Good luck teaching common sense.
--- Kinnell <kinnell.t_at_gmail.com> wrote:
> Very true. However we are not looking to ban people from using e-mail
> as a tool to pass important files; we are looking to keep Tim, the new
> intern from a near college, from opening a stupid e-mail with a "your
> wife knows you watch porn" subject and running a file in there that is
> said to keep your wife from finding out.
>
> The problem is between the keyboard and the seat, not so much on the
> servers, but if we can't teach the users common sense then we need to
> ban all files. Same goes for so many hot topic items
>
>
> -Kinnell
>
> On Mon, 14 Mar 2005 22:41:44 -0800 (PST), Jonathan Loh
<kj6loh_at_yahoo.com>
> wrote:
> > Ok let's have a reality check.
> > Blocking archive files is easy by just writing a simple filter
looking for
> > various extensions. Pruning executable files means you will have to
use
> that
> > same filter, open the archive, either extract the whole thing,
delete the
> > executables, and repackage the whole thing, or delete the
executables in
> place.
> >
> > Everyone can split large application files, or can be taught how,
and send
> them
> > to be repackaged. Ever wonder how TCP and UDP work?
> >
> > --- David J ONEILL <David.J.Oneill_at_state.or.us> wrote:
> > > Gee, why not just block ALL email communication. That would save
you
> > > some work too.
> > >
> > > Archive files are a necessary part of communication and very
beneficial
> > > in saving bandwidth.
> > >
> > > Let's have a reality check ....
> > >
> > > David J O'Neill
> > > Senior Systems Analyst
> > > State of Oregon
> > > Department of Human Services
> > > Office of Information Services
> > > PH# 503.378.2101 ext. 280
> > > email david.j.oneill_at_state.or.us
> > >
> > > >>> Jonathan Loh <kj6loh_at_yahoo.com> 03/14/05 02:21PM >>>
> > > Ok that's a solution. But what I want to ask you is this. How
much
> > > overhead
> > > does it take to do this? Blocking archive files would be an
easier
> > > method with
> > > little overhead. Possibly with a reply to sender that your site
does
> > > not
> > > accept archive files.
> > > --- Kinnell <kinnell.t_at_gmail.com> wrote:
> > > > On the network I'm a member of we block all exe files sent
inside
> > > the
> > > > rar or zip, so even if it is sent the file will be 0byted.
Wouldn't
> > > > that be a better method? otherwise if you block all bz2, zip,
rar,
> > > > etc... then you will block a lot of useful communication
> > > >
> > > > -Kinnell
> > > >
> > > > On Fri, 11 Mar 2005 16:49:16 -0500, adisegna_at_siscocorp.com
> > > > <adisegna_at_siscocorp.com> wrote:
> > > > > Sean, I have to disagree with you. Any file that that can
> > > encapsulate an
> > > > > executable file should be blocked (IMO). ZIP files are one of
the
> > > > > biggest carriers of malicious content these days. I don't make
it
> > > a
> > > > > habbit of trusting my users no matter how many times they get
> > > trained.
> > > > > RAR extraction tools are not part of the software image policy
on
> > > my
> > > > > network so users are oblivious to the file blocking. What is
your
> > > > > solution?
> > > > >
> > > > > Thanks
> > > > >
> > > > > AD
> > > > > Information Technology Group
> > > > > Security Identification Systems Corporation
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sean Crawford [mailto:sean01_at_accnet.com.au]
> > > > > Sent: Tuesday, March 08, 2005 9:39 PM
> > > > > To: security-basics_at_securityfocus.com
> > > > > Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> -----Original Message-----
> > > > > ---> From: adisegna_at_siscocorp.com
[mailto:adisegna_at_siscocorp.com]
> > > > >
> > > > > ---> Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> I just recently got the same executable inside .rar. I
> > > extracted
> > > > > the
> > > > > ---> dddd.exe and ran a scan on it. Norton Corporate 9.01
didn't
> > > find
> > > > > ---> anything (as of 4 days ago). I wasn't about to double
click
> > > this
> > > > > exe on
> > > > > ---> my corporate network. Block the rar extension on your
mail
> > > server.
> > > > > --->
> > > > >
> > > > > rar is a valid compression format...blocking it isn't a very
good
> > > > > solution.
> > > > >
> > > > > 2 cents.
> > > > >
> > > > > Sean
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Small Business - Try our new resources site!
> > > http://smallbusiness.yahoo.com/resources/
> > >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Mar 17 2005
Intro
