[Dshield] Delayed Attachment Delivery?

Shawn Cox shawn.cox at pcca.com
Mon Mar 1 15:53:18 GMT 2004


You can scan all day recursively through a .zip file but if you haven't
gotten a virus signature from your vendor you are just going to pass the
virus right through your gateway.  This is exactly why MyDoom was so big.
Most businesses actually use .zip for business functionality, and so it
wasn't blocked at the gateway and since there was a 1-2 hour window where
the virus was not detected by any of the vendors.  A modern virus can do
alot of spreading within 2 hours...

--Shawn

----- Original Message ----- 
From: "SGray" <SGray at medford.k12.nj.us>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Monday, March 01, 2004 8:33 AM
Subject: RE: [Dshield] Delayed Attachment Delivery?


> I personally use the Symantec Gateway product for this functionality.
> It tosses attachments that I designate and more importantly also opens
> zipped attachments to search for these files.  Zipped files should
> almost always be inspected just as your attachments are.
>
> -----Original Message-----
> From: Lewis Wolfgang [mailto:wolfgang at sweet-haven.com]
> Sent: Friday, February 27, 2004 11:58 PM
> To: list at dshield.org
> Subject: [Dshield] Delayed Attachment Delivery?
>
> Hi Folks,
>
> I work at a facility that processes more than 100,000
> incoming email messages per day.  Twice this week we've
> been compromised by viruses that managed to sneak in
> before the virus signatures recognized the infections
> (Netsky.c and Bagle.c).  The "zero day" effect has
> turned into a "zero hour" problem.
>
> It would seem that if certain executable attachments could
> be delayed for a few hours before delivery we'd have some
> breathing room to allow the virus signatures time to
> settle in.  Known dangerous filetypes (and double-extent
> filenames) could be thrown away right away.  Zipped
> executables would be the candidates for delayed delivery.
>
> Does anyone have any thoughts or recommendations?
>
> Regards,
> Lew Wolfgang
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list