Re: blocking .ZIP attachments

["Lucas, Bryan" <b.lucas () TCU EDU>]

First, "zip files are frequently high value items" I assume you are
talking about legitimate messages only.  If you factor in ALL zip's
received only a very small percentage (~ <10% in our environment) are
not malicious in nature.  Then, even if you do consider only
"legitimate" messages only, I'd have to argue that point.  I see just as
many if not more "elfbowling" type attachments than I see work related.

Second, if I was responsible for sending some data with the potential
million dollar price tag, I sure as heck wouldn't rely on just one
single email attempt.  I would FTP or post it to a private HTTP, call
the recipient and make sure they got it.  If the sender/recipient chose
smtp anyways, good user education about your security policies would
have reminded the recipient that filters are in place and if they are
expecting a critical file a phone call isn't out of the question.  It is
the same concept as certified USPS versus standard USPS.  Obviously this
user was expecting this file b/c she came looking for it.  The counter
that "critical" and "unexpected" zip files are a common occurrence just
doesn't cut it to me.  

Third, one individual deciding to censor a phrase is not essentially the
same thing as dropping an attachment b/c of well publicized security
risk.  Albeit I can agree it can definitely be argued the severity of
that risk.

Finally, just auto-renaming the zip file to say .xyz and letting it
through it through is not a good solution either.  Our help desk as well
as our administrators continue to get flooded by confused users
wondering "what is this warning about my email account" "should I type
in this password?" "why is my.domain management team emailing me" "I
thought this was a virus I just wanted to check".  These socially
engineered bodies are too confusing for users.

Please don't see this as a personal attack on your opinion.  Its just
I've talked through this subject so often I can't hardly stand to hear
it anymore so I get a bit riled up.

Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scott Barker
Sent: Friday, August 20, 2004 11:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] blocking .ZIP attachments


While many here have reported no problems with deleting ZIP attachments,
I personally have a HUGE issue with it.

ZIP files (or actually attachments in general) are frequently high value
items.  In fact the attachment is frequently the most important part of
any given email message.  For a university to delete all attachments of
a given type as part of policy is to me asking for big trouble.  

Let me give you a specific example of a real problem we actually had.  A
faculty member was collaborating with a colleague at a university in
another part of the world on a large research grant with an upcoming
deadline.  That remote colleague sent our faculty member several
critical files that were zipped for inclusion in their grant proposal.  

Our University deletes the ZIP attachment immediately so the faculty
member here does not get the file.  Our faculty member is irate because
she has a deadline and the person she is dealing with is 5 time zones
away.  But no one in the central computer organization seems to care
much since it is considered good security to delete the attachment. 

Now in our case we were lucky because there still were a few days left
before the deadline and the faculty member had time to recover. She
complained a lot and had some delay, but she did make it.  But what if
the original sender had left of vacation, or they were working right up
to the deadline and the files were lost?  Such a thing could have cost
our university MILLIONS of dollars in lost research funding not to
mention the extreme aggravation and loss of productivity such a policy
caused for the faculty member in question.

I also have an issue with it on other grounds.  What would you think if
your university started deleting specific words or paragraphs from the
text of an email message because some network administrator thought they
were not desirable?  That is a scary and slippery slope, yet we justify
doing essentially the same thing in the name of security with
attachments.

I'm sorry, it just isn't necessary when there is a REALLY simple
alternative.

Most of the folks here have said - we tell our users to change the
extension to something else if they really want to get the attachment
through.  So my question is... why don't we just do that automatically
rather than delete them?

Don't delete the ZIP, rename it yourself automatically when the mail is
received.  It has the same benefit and effect as the telling users to do
it, they have less to do and worry about, and there isn't an opportunity
for disaster in the case of a critical ZIP file being deleted when
people aren't aware of your deletion policy in advance.  

Of course the incoming mail scanning software you are using may not have
that ability to rename like it has the ability to delete attachments,
but if that's the case pressure the vendor or look for something else.

That's my two cents but unfortunately I haven't talked the folks on our
end into doing it yet!  ;-)

Scott Barker
Information School
University of Washington

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.