[Fwd: RE: [unisog] Phishing targeting University Admissions]

Russell Fulton r.fulton at auckland.ac.nz
Thu Jun 17 00:43:41 GMT 2004

I wrote this and sent it to our tech who looks after our email system
(Bojan Zdrnja) who added comments in line.  I've left them there since
they are interesting...  BTW this refers to our staff email system which
covers around 5,000 users. 


> On Tue, 2004-06-15 at 03:21, Sergent, Phil wrote:
> > You still accept .zip files!?
> With considerable caution. 
> We currently scan all mail attachments with amavisd/sophie. If the
> attachments contain any executables (even unix) or they are password
> protected then they are quarantined and held for 3 days.  The user gets

Basically we keep them for 30 days, but users don't know that. :)
It doesn't require a lot of disk space and according to my latest statistics
this uses around 600 MB of disk space. As e-mails older than 30 days are
deleted, disk requirements fluctuate around 500-600 MB.

> a warning that the attachment has been held and they may ask for the
> attachment to be released.  Currently the process for retrieving files
> from quarantine is manual and we get around 5 request for retrievals per
> day.  However if the file tests +ve for a virus then it is dumped
> unconditionally and no notices are sent. 

Yep, important thing is to underline that only recepient gets a
notification. There is no e-mail to (possibly) spoofed senders.

> We are currently in the middle of a major rework of our mail processing
> system and the longterm aim is to delay all clean, but executable
> attachments for three hours before rescanning them and then releasing
> them if they are still clean.  The user will get a warning email that
> the file has been held and a url from which they can retrieve it after
> signing in blood that they know what the attachment is and that they
> need it urgently.  The middle term solution is to just automate the
> retrieval process.

Basically, as the final goal, I'd like us to keep blocking all executables,
but to allow people to get them through the web interface. Also, we can
implement scanning every 3 hour and delete any (new) malware that we found,
with appropriate message to the recipient (this is pretty easy to
implement). This way there will be no executables in e-mail directly, if
user frees them through the web interface, it's their own responsibility.

> I get at around one message a day blocked by this mechanism and I have
> yet to retrieve a file from quarantine.  I.e. these are executable files
> that would have got through our screening but were unsolicited and
> presumably malicious.

Yes, from what I've seen - 90% are broken malware from remote servers (NDNs)
which are not identified by AV software, but still caught as an executable
(ie. header is ok, but file is broken). Only 10% or less are legitimate
business needs.


More information about the unisog mailing list