Educause Security Discussion mailing list archives
Re: blocking .ZIP attachments
From: John C Borne <jcb () LSU EDU>
Date: Thu, 19 Aug 2004 22:20:52 -0500
All, Thanks for the feedback and ideas. Joe, I like your idea of sending the husk of the email through and yes, please do send specifics on what you're doing to me at jcb () lsu edu. A little more background on what we have in place now. We are running Sophos PureMessage in our outer SMTP layer and Symantec AV for Domino on our inner layer. We are still in implementation of Sophos so we haven't explored everything with it. We do have a site agreement for Norton at the desktop, but no campus-wide policy requiring its use as I noticed in one of the other replies. Thanks. John Borne Louisiana State University Joe St Sauver <JOE@OREGON.UOREG To: jcb () lsu edu ON.EDU> cc: Subject: Re: [SECURITY] blocking .ZIP attachments 08/19/2004 06:08 PM Hi John, #We have a problem with viruses penetrating the campus "under the radar" so #to speak. Before a new virus is detected and the anti-virus update is #written, received, and distributed, we have a window of vulnerability. Have you considered supplementing your A/V product with an attachment defanging/stripping/quarantining system? (see http://darkwing.uoregon.edu/~joe/emailsecurity/email-security.pdf at pp 7) #In the past we have lost a considerable amount of time repairing these #outbreaks. The vector for many of these infections has been through #attachments especially .ZIP's. At first we were intermittently blocking #.zip and other attachments; going back and forth between blocking and #accepting as each new virus appeared. We found that keeping the zip's #blocked had a big impact on minimizing the impact of new virii. You may see equal value from defanging them (e.g., basically tacking a .txt extension on the end of the filename), although that still results in a tremendous amount of potential wasted space. #Before I propose this to the #administration, I wanted to see if anyone could comment on whether they #are, or are not, blocking zip's and other attachments and if not, what #other solutions they have considered. We block/quarantine some stuff outright (pif's, scr's, cpl's), strip some other executables (still delivering the message "husk" explaining what's been done), and defang other categories. If you're interested, I'd be happy to send along more specifics... Regards, Joe ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- blocking .ZIP attachments John C Borne (Aug 19)
- <Possible follow-ups>
- Re: blocking .ZIP attachments Jason Richardson (Aug 19)
- Re: blocking .ZIP attachments Smotherman, Brian (Aug 19)
- Re: blocking .ZIP attachments Gary Flynn (Aug 19)
- Re: blocking .ZIP attachments Dave Koontz (Aug 19)
- Re: blocking .ZIP attachments Tim Lane (Aug 19)
- Re: blocking .ZIP attachments John C Borne (Aug 19)
- Re: blocking .ZIP attachments Davis, Thomas R. (Aug 20)
- Re: blocking .ZIP attachments Theresa M Rowe (Aug 20)
- Re: blocking .ZIP attachments Jim Bollinger (Aug 20)
- Re: blocking .ZIP attachments F.L.Ferreri (Aug 20)
- Re: blocking .ZIP attachments Matthew Keller (Aug 20)
- Re: blocking .ZIP attachments Cal Frye (Aug 20)
- Re: blocking .ZIP attachments Jenny Gluck (Aug 20)
- Re: blocking .ZIP attachments Michael_Maloney (Aug 20)
- Re: blocking .ZIP attachments Jeffrey I. Schiller (Aug 20)
- Re: blocking .ZIP attachments Scott Barker (Aug 20)
(Thread continues...)