Educause Security Discussion mailing list archives
Re: Email Attachment Blocking
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 29 Jan 2009 08:20:40 -0600
Backscattering might be acceptable if you do the proper checks to prevent outscattering. Spam detection might not be a good enough safeguard since undetected virus outbreaks will have a high probability of also not being detected as spam. You would want to make sure the message originated from an authenticated user, and that the env-from isn't forged. You might want to consider renaming attachments instead of discarding the messages. It is a simpler implementation (depending on your environment), essentially just as secure, and much more user friendly. Jesse Miller, Don C. wrote:
I forgot to mention either the sender or recipient which is a part of our domain *and* this check is after a spam check. We have all other notifications turned on and we know this is a potential area of both backscatter and self-spamming. Unfortunately we have had too many cases of just missing messages over the years. :( We still want the protection with the customer friendly notice. Don -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Wednesday, January 28, 2009 1:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Email Attachment Blocking On Tue, 27 Jan 2009 15:21:54 PST, "Miller, Don C." said:Steve, it is interesting you ask this. For about 5 years we have been blocking exe, js, mdb, com, lnk and a large number of other attachment types without notifying recipients/senders. This week we are hopingtoimplement an actual notification process to either the sender or recipientYou may want to do a quick check that you don't spam notifications out to a joe-jobbed sender - sending a "We blocked an attachment from you" to a 3rd party who didn't actually *send* an attachment is a good way to end up in a lot of people's spam filters. http://spamlinks.net/prevent-secure-backscatter.htm Note the discussion in the 'Preventing backscatter' section - you really need to do reject-during-SMTP, trying to send a bounce after you've accepted the mail is basically doomed to fail. (It's amazing how many sites are *still* getting this wrong, which is why I'm posting to the list)
-- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Email Attachment Blocking, (continued)
- Re: Email Attachment Blocking Adam Nave (Jan 27)
- Re: Email Attachment Blocking Kieper, David (Jan 27)
- Re: Email Attachment Blocking Bob Bayn (Jan 27)
- Re: Email Attachment Blocking Miller, Don C. (Jan 27)
- Re: Email Attachment Blocking Joel Rosenblatt (Jan 27)
- Re: Email Attachment Blocking Vuong Phung (Jan 28)
- Re: Email Attachment Blocking Jason C. Belford (Jan 28)
- Re: Email Attachment Blocking Jesse Thompson (Jan 28)
- Re: Email Attachment Blocking Valdis Kletnieks (Jan 28)
- Re: Email Attachment Blocking Miller, Don C. (Jan 28)
- Re: Email Attachment Blocking Jesse Thompson (Jan 29)