Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Email virus protection

  • From: Crist Clark
  • Date: Thu Aug 21 17:02:10 2003

Dave Howe wrote:
> Crist Clark wrote:
> > Unless your AV software has a clue, like most do, and unzips archives
> > and see what's inside.
> which is ideal for virus scanning, but not for blanket-blocking of email.
> A zipped archive containing an executable cannot (unless something has
> changed that I don't know about) be automatically opened by any mail
> client - the user must make a deliberate attempt to open the archive then
> exectute the attachment (although the actual extraction can be performed
> automatically by many decompression utilities if you double-click an
> executable or document inside its browser)

Automatic opening by Outlook and Outlook Express (I'm not aware of any
other MUAs that have actually had worms in the wild that do this) has
actually only been used by a few worms.

As I mentioned in the original mail, this is how Mimail from a week or
two ago spread. An *.htm (not even "executable," whatever that means
on Windows anymore) was inside of a zip.

> there is of course no allowing for the stupidity of users - but if you
> have a stupid enough user you could induce him to bypass any protection
> anyhow.

AFAIK, the present scurge of the net, Sobig.F, requires the reader to
"click on it." It's not one of those that takes advantage of Outlook or
IE bugs to auto-execute. Most moron^H^H^H^H^Husers do so out of curiousity.
We've been telling them not to do this for several years. They still do
it. Face it, they are never going to stop doing it.

I don't want the users to be able to "click-through" to execute the file,
whether it is one or two steps. It's too easy for the curious. My goal is
to have the ones who _really_ want to get a "forbidden" extension through
the system need to actually *gasp* use the keyboard to rename the file!
That means they have to save the mangled name to a file, rename it back,
and then "run" it. Ju-ust that little bit of effort is enough to stop 
several nines of the curious. I remember wa-ay back in the Melissa days,
before AV email gateways were widely used, implementing MIMEdefang which
did these simple things. That was, and still is, enough to stop an awful
lot of this junk.

Similarly, if someone wants to zip some things up, mangle the zip extension,
and the then send it on through, it's OK with me. That's enough to stop
the curious.
Crist J. Clark                     

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.