[unisog] New virus - not caught by central servers (fwd)
mark at mail.rockefeller.edu
Thu Jul 29 12:39:43 GMT 2004
Can you please provide me more details on how you block only encrypted
ZIP files in the e-mail message? Are you using Sendmail as your MTA?
Is the scanning of the e-mail message done at the time of delivery, or
is the message quarantine and scanned later?
Russell Fulton wrote:
>On Thu, 2004-07-29 at 02:41, Joseph Brennan wrote:
>>It's been accepted amazingly well. The zip blockade was done as a
>>desperate temporary measure last year but there has been no pressure
>>to change it. I was surprised.
>WE also blocked zips for a while earlier this year in response to one of
>the worms and we rapidly found a substantial group of users who were
>genuinely affected. We have since relaxed the ban to encrypted zips and
>this has caused almost no problems. We do have mechanisms for
>circumventing the ban for outbound mail (e.g. malware submissions).
>We unpack all other zip (and any other archives, eg bz2, gz and tar.gz,
>wtc.) attachments and block any that contain executables.
>As I've mentioned before users can retrieve blocked executable if they
>really need them.
>>We allow people to rename files to end .doc and send them.
>We don't. We use 'file' to find what it really is and act accordingly.
>Given the users can be duped into saving a zip file to disk and then
>typing in a password which has been sent as a gif attachment how long is
>it before we see a worm with instructions "Save the attached file to
>disk and rename to friendly.<some obscure executable extension> and
>double click on it". This could plausibly be coupled with a variant of
>the recent mydoom spiel. E.g: From:<security at kickme.edu> "We have
>detected that your machine is infected with Nasty-rabid.worm. Here is
>the cleaning tool, we have renamed to so it will go through the mail
>system, just save it to disk and rename it to cleaner.exe and run it".
>I'm sure some of our users would fall for it.
>On this note we are about to have another look at methods for
>authenticating email sources to see if there is anything that we can
>reasonable deploy over the whole University. We will be looking at all
>the old friends (PGP, GPG, SMIME, etc.) and anything else that we can
>find. I'm not very hopeful...
*The Rockefeller University
1230 York Ave.
New York, New York 10021*
phone: +1 212 327 8937
fax: +1 212 327 8712
email: mark at mail.rockefeller.edu <mailto:mark at mail.rockefeller.edu>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog