Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: E-Mail viruses
From: Cael Abal <lists2 () onryou com>
Date: Fri, 05 Mar 2004 18:52:58 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Curt Purdy wrote:

Personally I'd dispute this solution's elegance, anything
which requires substantial user behaviour change (and doesn't
drastically improve the virus/worm situation across the board)
is an ugly kludge.

I would say that completely eliminating all virus infected
attachments, past/present/future without any further interaction by IT
dramatically improve the virus/worm situation across the board.

The problem is, though, you're training your users and customers (likely
at significant expense) to use some bizarre munging method to satisfy
the whims of your particular mail gateway.

Although it will stem the flow of incoming automated worms/viruses on
your end, this will not help reduce virus/worm propagation anywhere else.

This, to me, is not what I would call dramatically improving the
virus/worm situation across the board.

Think about the implementation nightmare.  What will you do when someone
attempts to send an attachment to one of your users?  Will you fire off
an automated response, instructing them to use your .xyz solution?  How
will you prevent sending notifications to forged From: addresses?

Will you instead simply silently kill all attachments, passing the body
of the message -- that's ugly too, it requires the recipient to notify
the sender their attachment was blocked, describe your solution to them,
and hope the attachment gets resent.  Do you trust your users to
accurately describe file renaming to other users?  Are your users
comfortable with the variety of OSes still out there?  Are your users
smart enough to realize they shouldn't start renaming attachments they
send to other folks?

Also, keep in mind your users will still get hammered by all those
annoying e-mail virus/worm messages (sans executables), unless you also
continue to implement an anti-virus scanner.  Didn't you hope to be rid
of that?

Finally, what if you decide to change procedure in the future?
Everything you've taught your users is completely useless to them, all
that time and effort ends up being a complete writeoff, and you'll have
to *untrain* them all.

Your idea is interesting and certainly deserves further thought and
discussion, but it's no panacea.  Instead of implementing this
particular solution (with all its costs), I'd instead recommend Old
Faithful:

1) Continue following industry Best Practices.
2) Educate your users as best you can.

In my mind this is much, much better (for everyone) in the long run.

Sincerely,

Cael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFASRLaR2vQ2HfQHfsRAn2lAKCLVmeuD+RyFnccu88K8jWDXP0qHACfXlj1
ysYMFduEuVon2BUgdKhtwgk=
=/sDh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault