" First, users aren't just blindly opening .ZIP files and executing their contents -- they are do that *and* supplying a password that the virus gave them."
Your right then there is a bigger problem and it's called user intelligence. And unfortunately nothing you do server side will protect you from that. The only thing that will protect a user after it gets past the server is the user. The reason the virus is getting through is because Norton (or any other virus scanner) can't open it due to the password. So yeah the spammers and virus writers are depending on users being ignorant enough to actually follow the steps in the email to place the password in the zip message so it can deliver it's payload. Personally I don't let IMail rules handle my attachment blocking needs. I let the Norton Antivirus Scan Engine handle that through their attachment blocking features. I've gotten zero false positives with Norton, when I was getting several a day with IMail because of their use of rules. I still haven't figured out why ipswitch doesn't include an "attachment name" bullet in the inbound rules section. Or better yet in the anti-spam content filtering so the virus doesn't go all the way through the anti-spam filtering before it gets caught by the inbound rules, which is the last rule that a message transaction goes through before it's delivered to a users mailbox. Better catch it right when it comes in so it's dismissed early and save processor load. Just my 2 cents. -----Original Message----- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Zip attachments >Just IMHO but zip files require an external program that must extract >the file and then run them. If your users are blindly opening zip files >and executing their contents, there is a bigger problem. Your hope >would be that if somehow a zip file with a virus slipped through, it >would be caught by your desktop AV client. If it doesn't already, >Norton for Imail should scan inside of zip files. Actually, it now gets a lot more complex than that. First, users aren't just blindly opening .ZIP files and executing their contents -- they are do that *and* supplying a password that the virus gave them. Second, no mailserver virus scanner can accurately detect all viruses in encrypted .ZIP files (believe me; it's true). Third, as a result of #1 and #2, the only way to block all known viruses is by blocking all encrypted .ZIP and .RAR files (I'm not sure if Norton for IMail does this yet; I do know that Declude Virus does). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
