[unisog] Phishing targeting University Admissions

atanner1 atanner1 at emich.edu
Wed Jun 16 12:40:27 GMT 2004

I have started to tell my users that if they get a strange attachment and
are really dead-set on opening it, to please wait 3 days or come talk
with me.  It is not a perfect idea, but some of them will open it no
matter what.  If they wait the 3 days, here is what I am hoping will

1.  They hear about the virus and recognize it as such, and don't touch it
2.  The virus protection catches up on both the desktop and mail server

I know that if #2 fails, the virus will be spread.  But for my users who
will open it *anyway*, this seems to be something they can live with.
It's a way of thinking that makes sense to them, especially when the email
seems legitimate because it is from someone they know.

Changing the culture of email immediacy might help us all out in the long
run.  We expect emails TODAY but what if that was changed?  What if our
mail severs were configured to delay mail with attachments for 6 hours, or
8 hours?  Then run virus scan and leave the queue to be delivered.  Its
not perfect but it might help in an effort to get virus scanning to catch
up.  Do you think most users would go for something like that?

Andrea Tanner                           Academic Technology Specialist
andrea.tanner at emich.edu                 Academic Programming
734-487-0169                            225 Rackham

On Wed, 16 Jun 2004, Keith Schoenefeld wrote:

> Seriously, why wouldn't people accept zip files?  If you don't allow zip
> files, but still allow attachments, what compression program do you use,
> rar?  If so, then what happens when viruses start getting spread via rar
> (they already are)? If we continually decrease the level of service we
> provide, we start changing the usability of the services we provide.  If
> we dramatically change the usability of our services, then the virus
> writers win.  It is far better to teach users how to properly handle
> attachments than to block attachments of certain types.  By blocking zip
> files, we are using a technical solution to solve a user knowledge
> problem.  It's bound to fail.  We don't need more technology, we need
> better trained users.
> Obviously, I'm totally against the whole idea of "Viruses are possible
> in files with extension '.xxx' so we'd better block them".  Just like
> the recent viruses said "type in this password and open the zip file",
> untrained users are going to receive an email message that says "rename
> this blah.zi_ to blah.zip and open it" and they will do it.  Again, the
> proper solution in my opinion is user training, not band-aid technical
> solutions.
> I suppose using my same logic, one could argue that we shouldn't block
> any virus email.  I would argue that blocking viruses using definitive
> signatures is a good spam blocking and mail server saving measure, but
> that end users should be trained to handle the viruses that do get through.
> All that said, there are all sorts of arguments as to whether one should
> really support attachments at all.  I personally would rather have some
> sort of automated repository where all outgoing and incoming attachments
> are stored on a server and unique http:// links are sent in place of the
> attachments.  Maybe using something like hardlink periodically to save
> space.  I believe such a product is a pipe dream at the moment... maybe
> someone can correct me?
> -- KS
> Sergent, Phil wrote:
> > You still accept .zip files!?
> >
> >
> > Phil Sergent                                      MU
> > Systems Programmer
> > Marshall University
> > Computing Services/Systems Group
> > Drinko Library 422a
> > Huntington, WV  25755-5320
> > 304/696-3689 (Desk) 304/696-3601 (FAX)
> > Email: sergent at marshall.edu
> > It's not who you are that holds you back, it's who you think you're not.
> >
> >
> >
> > -----Original Message-----
> > From: unisog-bounces at lists.sans.org
> > [mailto:unisog-bounces at lists.sans.org] On Behalf Of Joseph Brennan
> > Sent: Monday, June 14, 2004 8:19 AM
> > To: UNIversity Security Operations Group
> > Subject: Re: [unisog] Phishing targeting University Admissions
> >
> >
> >
> > --On Monday, June 14, 2004 8:46 AM -0400 Michael Holstein
> > <michael.holstein at csuohio.edu> wrote:
> >
> >
> >>Greetings,
> >>
> >>Late last week we saw a "phishing" attack targeting our students using
> >>the enticement of a research assistantship (and a student visa). The
> >>messages are written such that they appear to be from a legitimate
> >>University International Admisions contact, and contain an
> >>as-yet-unidentified "mailer.zip" attachment.
> >
> >
> >
> > Do you have the header portion?  I assume it claimed to be from an
> > address at your school but really came from somewhere else.  Some
> > general rule might be made to filter out such mail.
> >
> > Joseph Brennan
> > Academic Technologies Group, Academic Information Systems (AcIS)
> > Columbia University in the City of New York
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> >
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list