Educause Security Discussion mailing list archives
Re: blocking .ZIP attachments
From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Sat, 21 Aug 2004 00:33:54 -0500
First, "zip files are frequently high value items" I assume you are talking about legitimate messages only. If you factor in ALL zip's received only a very small percentage (~ <10% in our environment) are not malicious in nature. Then, even if you do consider only "legitimate" messages only, I'd have to argue that point. I see just as many if not more "elfbowling" type attachments than I see work related. Second, if I was responsible for sending some data with the potential million dollar price tag, I sure as heck wouldn't rely on just one single email attempt. I would FTP or post it to a private HTTP, call the recipient and make sure they got it. If the sender/recipient chose smtp anyways, good user education about your security policies would have reminded the recipient that filters are in place and if they are expecting a critical file a phone call isn't out of the question. It is the same concept as certified USPS versus standard USPS. Obviously this user was expecting this file b/c she came looking for it. The counter that "critical" and "unexpected" zip files are a common occurrence just doesn't cut it to me. Third, one individual deciding to censor a phrase is not essentially the same thing as dropping an attachment b/c of well publicized security risk. Albeit I can agree it can definitely be argued the severity of that risk. Finally, just auto-renaming the zip file to say .xyz and letting it through it through is not a good solution either. Our help desk as well as our administrators continue to get flooded by confused users wondering "what is this warning about my email account" "should I type in this password?" "why is my.domain management team emailing me" "I thought this was a virus I just wanted to check". These socially engineered bodies are too confusing for users. Please don't see this as a personal attack on your opinion. Its just I've talked through this subject so often I can't hardly stand to hear it anymore so I get a bit riled up. Bryan Lucas Lead Server Administrator Texas Christian University (817) 257-6971 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scott Barker Sent: Friday, August 20, 2004 11:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] blocking .ZIP attachments While many here have reported no problems with deleting ZIP attachments, I personally have a HUGE issue with it. ZIP files (or actually attachments in general) are frequently high value items. In fact the attachment is frequently the most important part of any given email message. For a university to delete all attachments of a given type as part of policy is to me asking for big trouble. Let me give you a specific example of a real problem we actually had. A faculty member was collaborating with a colleague at a university in another part of the world on a large research grant with an upcoming deadline. That remote colleague sent our faculty member several critical files that were zipped for inclusion in their grant proposal. Our University deletes the ZIP attachment immediately so the faculty member here does not get the file. Our faculty member is irate because she has a deadline and the person she is dealing with is 5 time zones away. But no one in the central computer organization seems to care much since it is considered good security to delete the attachment. Now in our case we were lucky because there still were a few days left before the deadline and the faculty member had time to recover. She complained a lot and had some delay, but she did make it. But what if the original sender had left of vacation, or they were working right up to the deadline and the files were lost? Such a thing could have cost our university MILLIONS of dollars in lost research funding not to mention the extreme aggravation and loss of productivity such a policy caused for the faculty member in question. I also have an issue with it on other grounds. What would you think if your university started deleting specific words or paragraphs from the text of an email message because some network administrator thought they were not desirable? That is a scary and slippery slope, yet we justify doing essentially the same thing in the name of security with attachments. I'm sorry, it just isn't necessary when there is a REALLY simple alternative. Most of the folks here have said - we tell our users to change the extension to something else if they really want to get the attachment through. So my question is... why don't we just do that automatically rather than delete them? Don't delete the ZIP, rename it yourself automatically when the mail is received. It has the same benefit and effect as the telling users to do it, they have less to do and worry about, and there isn't an opportunity for disaster in the case of a critical ZIP file being deleted when people aren't aware of your deletion policy in advance. Of course the incoming mail scanning software you are using may not have that ability to rename like it has the ability to delete attachments, but if that's the case pressure the vendor or look for something else. That's my two cents but unfortunately I haven't talked the folks on our end into doing it yet! ;-) Scott Barker Information School University of Washington ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: blocking .ZIP attachments, (continued)
- Re: blocking .ZIP attachments Davis, Thomas R. (Aug 20)
- Re: blocking .ZIP attachments Theresa M Rowe (Aug 20)
- Re: blocking .ZIP attachments Jim Bollinger (Aug 20)
- Re: blocking .ZIP attachments F.L.Ferreri (Aug 20)
- Re: blocking .ZIP attachments Matthew Keller (Aug 20)
- Re: blocking .ZIP attachments Cal Frye (Aug 20)
- Re: blocking .ZIP attachments Jenny Gluck (Aug 20)
- Re: blocking .ZIP attachments Michael_Maloney (Aug 20)
- Re: blocking .ZIP attachments Jeffrey I. Schiller (Aug 20)
- Re: blocking .ZIP attachments Scott Barker (Aug 20)
- Re: blocking .ZIP attachments Lucas, Bryan (Aug 20)