[unisog] Dropping executables - who does it?]

Steve Hillman hillman at sfu.ca
Mon Feb 2 23:09:58 GMT 2004


At 02:52 PM 2/2/2004 -0800, you wrote:

>With the fun we are all having with viruses, we are wondering how many
>institutions are just dropping executable attachments all together.
>It's something that I know a lot of virus/mail gateway software can do,
>but are a lot of schools doing that?
>
>We have a policy to try and deliver as much as possible, but I think we
>are coming up against the practicality of having to protect users.
>Anti-virus companies can create defs pretty fast, but mydoom still
>infected thousands of machines worldwide before they were available.
>Dropping executables (exe, com, pif, scr, bat) would have been better
>insulated us, if not protected (zip).
>
>Anyone doing that?

We bounce all "illegal extensions" with a 500-series SMTP error code (note, 
we do NOT send a message back to the "sender"). In our case, any executable 
is an illegal extension - .exe, .com. pif, etc. However, we can add 
anything we want to that string of text, and the scanner we use doesn't 
care whether it's actually an extension or not. So to reduce the load on 
the virus scanner (illegal extension checking is done before attachments 
are virus scanned), I added "ocument.zip", "eadme.zip", and "essage.zip" to 
the list of illegal extensions.

It's pretty rare that people actually legitimately try to send a .exe file, 
but when they do, they get a bounce back and can then deal with it by 
zipping the .exe first - not a big deal, and it lets us reject most new 
viruses before the signatures are even out. In the case of this latest 
virus, because it came through zipped, it got through our virus scanner for 
about 45 minutes. In that 45 minutes, many dozens of machines on campus got 
infected by users who had forgotten the golden "don't open attachments" rule.


Steve Hillman                           hillman at sfu.ca
Senior Systems Administrator            (604) 291-3960
Simon Fraser University



More information about the unisog mailing list