[unisog] Phishing targeting University Admissions

Keith Schoenefeld schoenk at utulsa.edu
Wed Jun 16 14:44:52 GMT 2004

Joseph Brennan wrote:

>> IMHO fixing the real problem -- vulnerable email clients that
>> execute code -- should be more of a concern. Of course, this does
>> nothing to solve the problem of users saving attachments and
>> executing them; but I have a few solutions to that as well that
>> include using more secure operating systems.
> OK: I agree.  Now, let's get back to the real world.  Users can use
> any client they want, and the overall organization lacks the will
> to impose a ban on certain mail clients because the clients' users
> insist they need them.  Maybe they do too; I am not familiar with
> the non-mail components of certain software.  It is impossible to
> train users effectively with a 5,000:1 ratio of users to user
> services staff and steady turnover.  So all that's right out.

We will only support Netscape Messenger and Thunderbird at the moment.  
We do have some Outlook installations, but users are informed that we 
will install it but do not support it -- if something goes wrong they 
are on their own.  The only thing we will do with Outlook is migrate the 
data in it to Messenger or Thunderbird if they change their mind.  We 
may need to re-evaluate this policy of not supporting Outlook, I haven't 
looked at Outlook since the original Office 2000 release. 

My point is that there are some places that have made the ban.  The 
choice to not support Outlook was made because at the time there was no 
way for the user to protect themselves from viruses and still use 
Outlook. Like I said, we may need to revisit this move in the near 
future.  Anyway, to handle the PIM stuff we have a license for Oracle's 
calendaring software.  It's got a really good web interface, and has 
clients for Windows, Mac, and Linux (maybe more, that's all I've looked 

> Blocking attachments by extension saves us about $30,000 worth of
> anti-virus software licensing and additional hardware to process
> scanning.  That sounds good to me.

How exactly did you come up with those numbers?  Are you saying that you 
don't license antivirus software at all, or just don't do it on the mail 
server?  I'm not arguing the numbers are wrong, nor do I plan to based 
on your answer (I think), just curious how you developed the numbers.

We have faculty members who have threatened to bolt to NSF and clain 
infringement of academic freedom if we start blocking attachments.  I 
don't know if they would be successful or not, but quite frankly I don't 
care.  Unfortunately, sending files via email is a way of life.  The 
only way I'm willing to agree with the idea of blocking attachments from 
being sent via smtp is if I can automate some kind of file storage 
solution as I described earlier.  It's not worth the fight for me.  If 
they open a virus they can sit without their computer until we have time 
to fix it.  That way it's their own fault that they are without a 
computer, not ours.

> Banning attachments and HTML mail?  That's where this is going.
> I think we're going to see it happen.

That's pretty scary.  Now you're talking about making me explain to my 
users why they get email returned to them from your server.  I can't 
imagine that actually saving you support time.

> What would accelerate it would be an alternative way to transmit
> files, which is badly needed anyway.  Email is the least efficient
> way possible, with the encoding that has to be done into bloated
> pseudo-ascii.

Here we absolutely agree.

-- KS

Keith Schoenefeld
Manager of College Computer Services
College of Engineering and Natural Sciences
The University of Tulsa

More information about the unisog mailing list