[Asrg] Usefulness of wholesale blocking of attachments for SMTP?2004-04-12 19:22:30
I mail-server I use regularly (Indiana University) has taken, in response to worms and other malware useing .pif. zip, exe, etc attachments to spread their damage, has taken the (IMO) rather drastic step of blocking almost *all* attachments (except for pdf, doc, and a few others), including MacOSX extensions (pbproj and saver) even though there are no viruses currently which try to use OSX extensions (and they wouldn't work either, as Windows would not try to run a xx.saver file as an executable).
I would argue that if one wants to block EXE files - fine - but block them by looking for the base-64 encoded 'TVq' signature of EXE files (the 'MZ' signature when encoded). The current policy of blocking a great many different attachments, not only makes it more difficult for people who do want to send legitimate attachments (but not too much - I just remove the extension), if adopted on a large-scale (which I doubt it will be), such a "draconian" policy will push mal-ware-writers to move to other ways of sending their worms - Word macro viruses, Excel macro viruses, HTML with mal-ware JS and Java code, or whatever (there's almost always another hole to exploit). This same mail-server is going to shortly be implementing a system-wide spam filtering solution (probably based on SpamAssasin), which will as a matter of course be scanning all data coming through the relay. Since all data will be scanned already, scanning for EXE files or other known signatures of malware should not be terribly more computationally intensive. The solution proposed by 'gep2' would seem to address this, but it seems to me that it would have an incredible computation scaling problem (if filtering on a per-user basis is done on the receiving end), and/or require a global change to the email system (if a sending server would query a receiving server for every email). Jim From: gep2(_at_)terabites(_dot_)com
|
|