> When will we ever learn ... :-P > > On 11 Oct 2002 at 16:02, Roberto Pavesi wrote: > > on my opinion the simplest way is to delete ANY attachement with > > extensions .exe .com .pif .bat .scr and so ... > > On 11 Oct 2002 at 8:22, Williams, Kevin wrote: > > I'm glad you mentioned that. My script blocks about 60 file extension= s > > using the same MIME extraction methods that it uses to scan for virus= es. > > ... > > Sorry to be that direct: Extension blocking is (IMHO) not adding > anything to security but motivates users to evade it. (before you > flame me, read some postings on that topic from focus- > [EMAIL PROTECTED]) > > My thoughts about file extensions: > > *) how deeply does your filter search the filename for an extension ? > If your algorithm takes the first three characters after the first > dot, you've lost already. If it takes the last three characters if > they have a dot before them, it might work, unless there is some not- > yet-found bug in WinXX ...
My filter looks for '.whatever' anywhere in the file name, and the filter= list=20 is customizable. > > *) by blocking extensions except .zip and/or .txt you annoy your > users or their mailpartners and force them to avoid your restraint by > simply ziping or renaming files and notifying recipients of that. Any > worm could easily do so. Didn't we hear of 'MS xxx security update > attached' and people really believing MS sent them a patch ? > > Anyway, if .zip is not blocked and the archive is self extracting you > are doomed too ! If the archive is self extracting, then it has a ".exe" extension, which=20 should be blocked. > > *) if nearly all extensions are blocked (I can't even think of 20 > different ones, let alone 60 !) how could users excange files anyway > ? And they frequently do ! (or at least want to) > > IMHO this extension blocking thingy raises far more trouble than it > sloves. A profound virus scanner on the MTA and one on each desktop > is far more effective (the two could even be from different brands if > you like paranoya, like I do ;-) ). My filter also runs a virus scan on all attachments not already filtered = by=20 extension. My filter can be extremely paranoid - if desired, the admin can configure= the=20 filter to block messages from unverifiable addresses (verified by DNS loo= kups=20 of MX records for sender's domain then SMTP "RCPT TO:" for mailbox on eac= h=20 server in MX records until success or end of list). > > Giving users the impression everything they get is checked and > filtered gives them a false feeling of being 'secure'. Let them see > how many infected mails they would get without the scanners and they > will be more cautious with attachments anyway. > > At our site any infected mail reaches its intended audience, but > with the attachment replaced by a report from the MTA scanner and a > log entry generated. Since we do so, users are very alert ! My filter does the same thing. We have a nation-wide Exchange system with= each=20 office as a site in the Exchange domain. We have a commercial virus=20 protection plug-in at each office, but each office chose a different vend= or.=20 We chose a system which blocks by a configurable list of file extensions = then=20 scans for viruses. Any attachments which are blocked by extension or=20 quarantined for viruses are replaced by a text message describing why the= =20 attachment was not allowed to continue. Since implementing this system we= =20 haven't had a single virus in our office in over two years, although othe= r=20 offices have been infected and tried to infect us through the Global Addr= ess=20 List. Almost all viruses that are caught are caught by the file extension= ,=20 not the virus scanner. We also have VirusScan and Outlook on each=20 workstation, scanning all file I/O and all e-mail. It's a good system and= it=20 works well, so I tried to implement the same thing for XMail, for free. > > just an opinion, > > Goesta I appreciate the opinion. Our users aren't that tech savvy, and would nev= er be=20 motivated to evade security measures because the entire concept would be=20 miles over their head. That's why this works for us. Your mileage may var= y. Kevin - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
