[unisog] Phishing targeting University Admissions

Keith Schoenefeld schoenk at utulsa.edu
Wed Jun 16 05:30:39 GMT 2004

Seriously, why wouldn't people accept zip files?  If you don't allow zip 
files, but still allow attachments, what compression program do you use, 
rar?  If so, then what happens when viruses start getting spread via rar 
(they already are)? If we continually decrease the level of service we 
provide, we start changing the usability of the services we provide.  If 
we dramatically change the usability of our services, then the virus 
writers win.  It is far better to teach users how to properly handle 
attachments than to block attachments of certain types.  By blocking zip 
files, we are using a technical solution to solve a user knowledge 
problem.  It's bound to fail.  We don't need more technology, we need 
better trained users.

Obviously, I'm totally against the whole idea of "Viruses are possible 
in files with extension '.xxx' so we'd better block them".  Just like 
the recent viruses said "type in this password and open the zip file", 
untrained users are going to receive an email message that says "rename 
this blah.zi_ to blah.zip and open it" and they will do it.  Again, the 
proper solution in my opinion is user training, not band-aid technical 

I suppose using my same logic, one could argue that we shouldn't block 
any virus email.  I would argue that blocking viruses using definitive 
signatures is a good spam blocking and mail server saving measure, but 
that end users should be trained to handle the viruses that do get through.

All that said, there are all sorts of arguments as to whether one should 
really support attachments at all.  I personally would rather have some 
sort of automated repository where all outgoing and incoming attachments 
are stored on a server and unique http:// links are sent in place of the 
attachments.  Maybe using something like hardlink periodically to save 
space.  I believe such a product is a pipe dream at the moment... maybe 
someone can correct me?

-- KS

Sergent, Phil wrote:

> You still accept .zip files!?
> Phil Sergent                                      MU 
> Systems Programmer
> Marshall University
> Computing Services/Systems Group
> Drinko Library 422a
> Huntington, WV  25755-5320
> 304/696-3689 (Desk) 304/696-3601 (FAX)
> Email: sergent at marshall.edu
> It's not who you are that holds you back, it's who you think you're not.
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
> Sent: Monday, June 14, 2004 8:19 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Phishing targeting University Admissions
> --On Monday, June 14, 2004 8:46 AM -0400 Michael Holstein 
> <michael.holstein at csuohio.edu> wrote:
>>Late last week we saw a "phishing" attack targeting our students using
>>the enticement of a research assistantship (and a student visa). The
>>messages are written such that they appear to be from a legitimate
>>University International Admisions contact, and contain an
>>as-yet-unidentified "mailer.zip" attachment.
> Do you have the header portion?  I assume it claimed to be from an
> address at your school but really came from somewhere else.  Some
> general rule might be made to filter out such mail.
> Joseph Brennan
> Academic Technologies Group, Academic Information Systems (AcIS)
> Columbia University in the City of New York
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list