Home page logo

nanog logo nanog mailing list archives

Re: Email virus protection
From: "Crist Clark" <crist.clark () globalstar com>
Date: Thu, 21 Aug 2003 13:56:35 -0700

Dave Howe wrote:

Crist Clark wrote:
Unless your AV software has a clue, like most do, and unzips archives
and see what's inside.
which is ideal for virus scanning, but not for blanket-blocking of email.
A zipped archive containing an executable cannot (unless something has
changed that I don't know about) be automatically opened by any mail
client - the user must make a deliberate attempt to open the archive then
exectute the attachment (although the actual extraction can be performed
automatically by many decompression utilities if you double-click an
executable or document inside its browser)

Automatic opening by Outlook and Outlook Express (I'm not aware of any
other MUAs that have actually had worms in the wild that do this) has
actually only been used by a few worms.

As I mentioned in the original mail, this is how Mimail from a week or
two ago spread. An *.htm (not even "executable," whatever that means
on Windows anymore) was inside of a zip.

there is of course no allowing for the stupidity of users - but if you
have a stupid enough user you could induce him to bypass any protection

AFAIK, the present scurge of the net, Sobig.F, requires the reader to
"click on it." It's not one of those that takes advantage of Outlook or
IE bugs to auto-execute. Most moron^H^H^H^H^Husers do so out of curiousity.
We've been telling them not to do this for several years. They still do
it. Face it, they are never going to stop doing it.

I don't want the users to be able to "click-through" to execute the file,
whether it is one or two steps. It's too easy for the curious. My goal is
to have the ones who _really_ want to get a "forbidden" extension through
the system need to actually *gasp* use the keyboard to rename the file!
That means they have to save the mangled name to a file, rename it back,
and then "run" it. Ju-ust that little bit of effort is enough to stop 
several nines of the curious. I remember wa-ay back in the Melissa days,
before AV email gateways were widely used, implementing MIMEdefang which
did these simple things. That was, and still is, enough to stop an awful
lot of this junk.

Similarly, if someone wants to zip some things up, mangle the zip extension,
and the then send it on through, it's OK with me. That's enough to stop
the curious.
Crist J. Clark                               crist.clark () globalstar com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]