Thank you for correcting me Yakov, I knew you would ;-)
We do not allow certain content that will make HTML dangerous such as
"open.window" and "<object data=" among a few others. I scour the (certain
unnamed) developer site and look for "enabling" html as I call it. This is
blocked before it can be exploited.
While I understand how it can be used successfully in an intranet, because
the client in question uses the same rendering engine for email as it does
its web browser, you can put anything in an email that you can put on a
webpage.
<rant>
I have repeatedly asked the "Evil Empire" to add another security option
that would turn these "enabled" html commands off specifically in an email,
not the browser. To date... " " has been the answer. So much for all
the press about how they are going to stop spam and viruses.
</rant>
This brings me to another point... I appreciate the segway from myself.
Too often places like news organizations, banks, and others that have a
slew of content developers are making it easier for virus writers to find
exploits. They do this by including in their content-rich email the latest
whizz-bang code, without thought as to who might not approve of it. For
instance, we started blocking CN^2 due to their developer putting in what we
considered "enabling" html. I got a phone call saying that we were now
blocking all of this news content. This is one that I would not back down
on. They changed their code.
<wishful thinking>
Email is turning into a feature-rich FTP client.
What is the problem with just going back to plain text and putting all the
fancy stuff in the attachment?
</wishful thinking>
Note to self: Block all <wishful thinking>
Regards,
Damon Sauer
-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org] On
Behalf Of Yakov
Shafranovich
Sent: Monday, September 15, 2003 1:45 PM
To: Sauer, Damon
Cc: 'Eric S. Johansson'; Jonathan Morton; Brad Knowles; asrg(_at_)ietf(_dot_)org
Subject: 7. Best Current Practices - Attachments (was Re: [Asrg] [RENAMED]
Dangerous Attachments from Email Path Verification (has hcash benchmarks))
First of all, please keep in mind the posting guidelines at
(http://www.irtf.org/asrg/asrg_mailing_list_information.htm). I changed
the subject since it belongs in the BCP area.
Second, take a look at the archive - we had a similar discussion a while
back with Gordon Peterson about blocking HTML and attachements.
Third, what about HTML content that executes in the preview pane of a
certain UNNAMED email client?
Yakov
Sauer, Damon wrote:
Our mail systems do not allow 36 directly executable attachment types
and it has not hindered our business one flea speck. We have not been
infected by a single email virus since Melissa that can be traced back
through our email gateways.
The magic words that were used was "directly executable", to me
meaning that there is no user action that has to take place for the
code to be executed.
<rant>
I remember the good ol' days when I could say with my head held high,
"No, just opening an email message will not give you a virus- it is
just text." Thanks to the "Evil Empire", creator of non-RFC compliant,
buggy, unsecured,
U-do-it-like-we-tell-U2- lookOut or express lookOut. I have to hang my
head
low and nod, when some poor client has his preview pane on and gets
infected
with the latest hourly exploit. Want to blame someone?
</rant>
We therefore do not allow any directly executable code without it
being zipped, gzipped, tar's, stuffed, extension renamed, or any other
action that will "safe" it and not allow it to run unopposed.
As long as a sender knows this, there is no issue with doing a little
prep work before sending. Not only that, it is less expensive to the
mailing systems.
Regards,
Damon Sauer
-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of
Eric S. Johansson
Sent: Monday, September 15, 2003 8:33 AM
To: Jonathan Morton
Cc: Brad Knowles; asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] 6. Email Path Verification (hashcash benchmarks)
Jonathan Morton explained:
I did the same with SpamAssassin when Sobig.F started hitting me with
hundreds per day (bounces and infections alike). I manually set the
MICROSOFT_EXECUTABLE score to 10.0 (the default score is only 0.3) and
set up Procmail to dump messages above 8.0. I'm pretty sure that dealt
with over 99% of the problem.
I personally think that nearly all ISPs, especially those with a large
proportion of newbies, should delete directly-executable attachments
without question.
while there is an autocratic part of me that agrees most heavily with
what you say, I also fear the hubris inherent in the situation. This
is what I think in
isolation place or spamtrap equivalent is what is called for. That way
the
user
can determine whether or not they really want that piece of e-mail. On
the
gripping hand however I have rarely received an executable by e-mail from
anyone
except someone I have had long conversations with (i.e. OEM technical
support)
the nice thing about a spamtrap (at least the way I have
designed/implemented)
is that I can get an audit trail of messages and who approved them. So in
the
case of a virus, you can know which employee is a FWM and started the
infection
process.
---eric
*****
"The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential, proprietary,
and/or privileged material. Any review, retransmission, dissemination
or other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited. If you received this in error, please contact the
sender and delete the material from all computers."
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
*****
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg