Educause Security Discussion mailing list archives

Re: blocking .ZIP attachments

From: John C Borne <jcb () LSU EDU>
Date: Thu, 19 Aug 2004 22:20:52 -0500

All,

Thanks for the feedback and ideas. Joe, I like your idea of sending the
husk of the email through and yes, please do send specifics on what you're
doing to me at jcb () lsu edu.

A little more background on what we have in place now. We are running
Sophos PureMessage in our outer SMTP layer and Symantec AV for Domino on
our inner layer. We are still in implementation of Sophos so we haven't
explored everything with it. We do have a site agreement for Norton at the
desktop, but no campus-wide policy requiring its use as I noticed in one of
the other replies.

Thanks.

John Borne
Louisiana State University

Joe St Sauver
<JOE@OREGON.UOREG To: jcb () lsu edu
ON.EDU> cc:
Subject: Re: [SECURITY] blocking .ZIP attachments
08/19/2004 06:08
PM

Hi John,

#We have a problem with viruses penetrating the campus "under the radar" so
#to speak. Before a new virus is detected and the anti-virus update is
#written, received, and distributed, we have a window of vulnerability.

Have you considered supplementing your A/V product with an attachment
defanging/stripping/quarantining system? (see
http://darkwing.uoregon.edu/~joe/emailsecurity/email-security.pdf at pp 7)

#In the past we have lost a considerable amount of time repairing these
#outbreaks. The vector for many of these infections has been through
#attachments especially .ZIP's. At first we were intermittently blocking
#.zip and other attachments; going back and forth between blocking and
#accepting as each new virus appeared. We found that keeping the zip's
#blocked had a big impact on minimizing the impact of new virii.

You may see equal value from defanging them (e.g., basically tacking a
.txt extension on the end of the filename), although that still results
in a tremendous amount of potential wasted space.

#Before I propose this to the
#administration, I wanted to see if anyone could comment on whether they
#are, or are not, blocking zip's and other attachments and if not, what
#other solutions they have considered.

We block/quarantine some stuff outright (pif's, scr's, cpl's), strip some
other executables (still delivering the message "husk" explaining what's
been done), and defang other categories. If you're interested, I'd be happy
to send along more specifics...

Regards,

Joe

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

blocking .ZIP attachments John C Borne (Aug 19)
- <Possible follow-ups>
- Re: blocking .ZIP attachments Jason Richardson (Aug 19)
- Re: blocking .ZIP attachments Smotherman, Brian (Aug 19)
- Re: blocking .ZIP attachments Gary Flynn (Aug 19)
- Re: blocking .ZIP attachments Dave Koontz (Aug 19)
- Re: blocking .ZIP attachments Tim Lane (Aug 19)
- Re: blocking .ZIP attachments John C Borne (Aug 19)
- Re: blocking .ZIP attachments Davis, Thomas R. (Aug 20)
- Re: blocking .ZIP attachments Theresa M Rowe (Aug 20)
- Re: blocking .ZIP attachments Jim Bollinger (Aug 20)
- Re: blocking .ZIP attachments F.L.Ferreri (Aug 20)
- Re: blocking .ZIP attachments Matthew Keller (Aug 20)
- Re: blocking .ZIP attachments Cal Frye (Aug 20)
- Re: blocking .ZIP attachments Jenny Gluck (Aug 20)
- Re: blocking .ZIP attachments Michael_Maloney (Aug 20)
- Re: blocking .ZIP attachments Jeffrey I. Schiller (Aug 20)
- Re: blocking .ZIP attachments Scott Barker (Aug 20)

(Thread continues...)