[unisog] Dropping executables - who does it?

Paul Russell prussell at nd.edu
Tue Feb 3 03:25:57 GMT 2004

Thomas DuVally wrote:

> With the fun we are all having with viruses, we are wondering how many
> institutions are just dropping executable attachments all together. 
> It's something that I know a lot of virus/mail gateway software can do,
> but are a lot of schools doing that?

For a short period of time, our central mail servers were configured to delete
executable attachments from email messages. As a result of complaints from
faculty, IT management instructed us to find another way to deal with the
potential risks of executable attachments in email.

Our central mail servers run Sendmail Switch 3.1.3 + MIMEDefang + McAfee uvscan
+ SpamAssassin on Solaris 8. Attachments which uvscan identifies as malicious
are discarded. Executable attachments which are not identified as malicious
are renamed by appending '_unknown' to the file name. For example, 'trojan.exe'
becomes 'trojan.exe_unknown'. We rename based on the filename extension, and
there are approximately 70 extensions on the list. During the 48 hour period
ending at midnight last night, the servers renamed 253 attachments, including
135 .zip, 21 .dll, 17 .pif, 16 .scr, 16 .exe, and 15 .adp.

When an attachment is renamed, a MIME part is inserted at the top of the message
advising the recipient that the attachment has been renamed and warning the
recipient of the potential risks of executing files which arrive by email. The
recipient can save the attachment as a seperate file, rename it, and launch it,
however, it will not be launched automatically by the user's email client. It
is a compromise. We may deliver malicous content, but we make the user work to
execute it.

Paul Russell
Senior Systems Administrator
University of Notre Dame

More information about the unisog mailing list