[unisog] Dropping executables - who does it?

Joseph Tam tam at math.ubc.ca
Thu Feb 5 03:47:29 GMT 2004


We do it.  We went through the entire spectrum, going from

	1) Allowing everything and trying to educate the user as well as
	we could.  You can guess that it wasn't totally effective, so we
	went to ...

	2) Attachment renaming.  This worked amazingly well (except those
	that used social engineering like "Please open this zip file ...").
	Users then complained about having to delete all this renamed
	attachments, since most (all?) were viruses anyways.  So we went to ...

	3) Banning harmful attachments outright.  We dropped any attachment
	with one of the extension listed in

		http://support.microsoft.com/support/kb/articles/Q262/6/17.ASP

	as well as some particular Zip filenames like "message.zip", etc.

I'm glad we did 3) because this came just before Sobig came onto the scene.
This thing came in so fast and furious at our mail site that even if
absolutely no recipient of ours got infected, it would have still resulted
in mail DoS because users would have exceeded their mail quotas.  Indeed,
at the end of the Sobig infection, it could have potentially filled up the
mail spool resulting is DoS for everybody.

I haven't received any complaints from our users about getting .exe, etc.
dropped and I would say that nearly all the attachments we've rejected were
malware of some sort.

I did receive one complaint about banning .zip attachments in anticipation
of the MyDoom viruses, and I'm still on the bubble on whether this is really
useful since my mail logs don't show an overwhelming onslaught of .zip files.
I may reverse my decision on allowing this type of attachment.

In defense of some of the criticisms of banning attachments, that

	i) It's a violation of freedom of expression.  I think this is
	nonsense.  You can still Email a virus if you want and rename
	it ".dat" or whatever.  I'm just making it hard for automatic
	execution of potentially harmful content.

	I also put size limits on incoming mail (I get more complaints
	about this than dropping attachments), yet no one complains
	that it's a violation of their freedom of expression as they realise
	it's a good policy to encourage efficient usage of resources, as
	well as trying to protect others' right to the same freedom
	by not having one individual hog up all the shared resources.

	In the extreme case of Sobig, it wasn't a choice between accepting
	attachments or not, but getting (useful) mail or not.

	ii) False positives -- I'm sure there were a few cases, but wasn't an
	insurmountable problem as most people just renamed their files and sent
	it again.  The one thing I like about this non-discretionary approach
	to banning attachments is that it is robust.  I can get protection from
	brand new viruses (just as long as it uses one of the extension in
	the URL above) and it doesn't become a race between updating
	the AV dictionaries and receiving the first virus.

Joseph Tam tam(at)math.ubc.ca



More information about the unisog mailing list