[unisog] Dropping executables - who does it?
tam at math.ubc.ca
Thu Feb 5 03:47:29 GMT 2004
We do it. We went through the entire spectrum, going from
1) Allowing everything and trying to educate the user as well as
we could. You can guess that it wasn't totally effective, so we
went to ...
2) Attachment renaming. This worked amazingly well (except those
that used social engineering like "Please open this zip file ...").
Users then complained about having to delete all this renamed
attachments, since most (all?) were viruses anyways. So we went to ...
3) Banning harmful attachments outright. We dropped any attachment
with one of the extension listed in
as well as some particular Zip filenames like "message.zip", etc.
I'm glad we did 3) because this came just before Sobig came onto the scene.
This thing came in so fast and furious at our mail site that even if
absolutely no recipient of ours got infected, it would have still resulted
in mail DoS because users would have exceeded their mail quotas. Indeed,
at the end of the Sobig infection, it could have potentially filled up the
mail spool resulting is DoS for everybody.
I haven't received any complaints from our users about getting .exe, etc.
dropped and I would say that nearly all the attachments we've rejected were
malware of some sort.
I did receive one complaint about banning .zip attachments in anticipation
of the MyDoom viruses, and I'm still on the bubble on whether this is really
useful since my mail logs don't show an overwhelming onslaught of .zip files.
I may reverse my decision on allowing this type of attachment.
In defense of some of the criticisms of banning attachments, that
i) It's a violation of freedom of expression. I think this is
nonsense. You can still Email a virus if you want and rename
it ".dat" or whatever. I'm just making it hard for automatic
execution of potentially harmful content.
I also put size limits on incoming mail (I get more complaints
about this than dropping attachments), yet no one complains
that it's a violation of their freedom of expression as they realise
it's a good policy to encourage efficient usage of resources, as
well as trying to protect others' right to the same freedom
by not having one individual hog up all the shared resources.
In the extreme case of Sobig, it wasn't a choice between accepting
attachments or not, but getting (useful) mail or not.
ii) False positives -- I'm sure there were a few cases, but wasn't an
insurmountable problem as most people just renamed their files and sent
it again. The one thing I like about this non-discretionary approach
to banning attachments is that it is robust. I can get protection from
brand new viruses (just as long as it uses one of the extension in
the URL above) and it doesn't become a race between updating
the AV dictionaries and receiving the first virus.
Joseph Tam tam(at)math.ubc.ca
More information about the unisog