[unisog] Dropping executables - who does it?]
hillman at sfu.ca
Mon Feb 2 23:09:58 GMT 2004
At 02:52 PM 2/2/2004 -0800, you wrote:
>With the fun we are all having with viruses, we are wondering how many
>institutions are just dropping executable attachments all together.
>It's something that I know a lot of virus/mail gateway software can do,
>but are a lot of schools doing that?
>We have a policy to try and deliver as much as possible, but I think we
>are coming up against the practicality of having to protect users.
>Anti-virus companies can create defs pretty fast, but mydoom still
>infected thousands of machines worldwide before they were available.
>Dropping executables (exe, com, pif, scr, bat) would have been better
>insulated us, if not protected (zip).
>Anyone doing that?
We bounce all "illegal extensions" with a 500-series SMTP error code (note,
we do NOT send a message back to the "sender"). In our case, any executable
is an illegal extension - .exe, .com. pif, etc. However, we can add
anything we want to that string of text, and the scanner we use doesn't
care whether it's actually an extension or not. So to reduce the load on
the virus scanner (illegal extension checking is done before attachments
are virus scanned), I added "ocument.zip", "eadme.zip", and "essage.zip" to
the list of illegal extensions.
It's pretty rare that people actually legitimately try to send a .exe file,
but when they do, they get a bounce back and can then deal with it by
zipping the .exe first - not a big deal, and it lets us reject most new
viruses before the signatures are even out. In the case of this latest
virus, because it came through zipped, it got through our virus scanner for
about 45 minutes. In that 45 minutes, many dozens of machines on campus got
infected by users who had forgotten the golden "don't open attachments" rule.
Steve Hillman hillman at sfu.ca
Senior Systems Administrator (604) 291-3960
Simon Fraser University
More information about the unisog