Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone seeing CLSID files being mailed

From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 24 Mar 2004 09:59:43 -0500
The JMU E-mail system removed a HIGH RISK attachment from this message.
The name of the file(s) removed was "an-example-name.{2227A280-3AEA-1069-A2DE-08002B30309D}" .

Microsoft Windows hides file names which sometimes makes it difficult
to trust or rename them. A simple configuration change will prevent this
from happening with most files:
http://www.jmu.edu/computing/security/index.shtml#rename

If you wish to receive this file, ask the sender to rename it with a
different extension before sending it to you. For example, ask them
to rename "file.exe" to "file.jmu". When you receive the file, restore
the original name.

A list of high risk attachments blocked by the JMU
E-mail system can be viewed at:
http://secureweb.jmu.edu/computing/security/existing.shtml

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Gary Dobbins wrote:


In the context of renaming 'dangerous' filename extensions in central
email (to reduce viral propagation), we're curious if anyone's yet
seeing 'CLSID' files?


I've had a simplistic filter for those in our mail gateways
for a couple years with only a couple hits in that time. No
hits in the past several months. I'm treating them like any
other high risk attachment. Currently, our mail software will
only allow us to strip them, not rename them.

I'll attach one to this so you can see what happens.

I'm reluctant to give details because hours after I
gave details about reflexive UDP filtering on this list
a couple days ago, we saw both internal and external
traffic of the type under discussion pick up
considerably.  It may have been a coincidence but I've
had bad experiences in the past with that sort of
correlation between public postings and related incidents.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: