[Dshield] Delayed Attachment Delivery?

John Hardin johnh at aproposretail.com
Tue Mar 2 20:40:27 GMT 2004

On Tue, 2004-03-02 at 06:13, Christophe Rome wrote:
> What's the next step? Delaying 'suspicious'
> attachments doesn't seem smart businesswise. Do we
> really need to block all attachments coming in through
> e-mail and find another way to get these important
> files reach our end-users? 

Do you really need to provide the ability for random people out in the
world to send zipped executable attachments to all your users?

If you have some subset of users with a legitimate business reason to
receive such files from known correspondents, then you can proactively
filter pretty easily on what's permitted and block the rest.

If you do need to accept executable attachments (zipped or not) from the
world at large, then only do so at a specific email address, and block
them for everybody else; then thoroughly check the attachments sent to
that one address, ideally from a non-target OS, like Linux or Mac OS,
using a non-target mail client. A large part of the vetting can be
automated (e.g. A/V scanners), and what passes can be inspected by a
human who can judge "this dreck looks like an attack - I'll (discard it
| delay it to give the AV signatures a chance to update)" or "this looks
clean, it should go to XXX for handling".

Not all attachments are evil. Macro viruses have whithered so documents
and such don't require a great deal of paranoia any more, and images are
safe (modulo the IE Bitmap overflow bug discovered thanks to the Win2K
source code leak... :). Sound files can be trojaned, and accepting them
as email attachments in the first place is a policy decision. But do you
*really* need to permit all of your users to accept executable file
attachments from random people worldwide?

These comments are, of course, directed at business admins. ISPs and
.EDUs have their own very different rules. Don't forget, email at a
business is a tool to get business done. If some freedom needs to be
given up to secure that tool and prevent major losses to the business
(downtime, lost data, etc), so be it - the ability of the users to get
the latest Elf Bowling from their friends shouldn't even be a
consideration, and any corporate officer worth their paycheck will see
that this applies to them as well.

(Am I repeating this rant too often?)

John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 Libertarian at home, Fascist Email Nazi at work

More information about the list mailing list