ietf-asrg
[Top] [All Lists]

RE: [Asrg] Usefulness of wholesale blocking of attachments for SMTP?

2004-04-12 23:45:42
such a "draconian" policy will push mal-ware-writers to
move to other ways of sending their worms - Word macro viruses, Excel
macro viruses, HTML with mal-ware JS and Java code, or whatever
(there's
almost always another hole to exploit).

thats why most viruses come zipped these days. and I am getting more than
ever


That's a little like telling everyone to take off their bullet-proof
vests because it'll just encourage poison gas.



wholesale blocking of attachments is a nuisance I often send things via
email. for very legitimate reasons

The problem could/should be solved by using a sandbox arrangement

anything to do with the internet should be run in a sandbox so it cannot
alter any part of the users computer.

that is to say not only email but any other software that has the potential
to run downloaded apps or scripts

e.g. IM's P2P Browsers etc.

I have often wondered how hard it would be to make a sandbox.

does anyone know of any open source sandboxes?


Regards
Chris



-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org 
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of Chris
Lewis
Sent: Tuesday, 13 April 2004 3:16 PM
Cc: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Usefulness of wholesale blocking of attachments for
SMTP?


Jim Witte wrote:

I would argue that if one wants to block EXE files - fine - but block
them by looking for the base-64 encoded 'TVq' signature of EXE files
(the 'MZ' signature when encoded). The current policy of blocking a
great many different attachments, not only makes it more difficult for
people who do want to send legitimate attachments (but not too much - I
just remove the extension), if adopted on a large-scale (which I doubt
it will be),

It's already implemented in a very large scale.  .scr, .pif, etc.  Many
of those have no business in email anyway.

Note also that while the TVq et.al. signatures are _very_ useful, they
don't do the whole job.  Ie: zip'd .exe.  TVq (and the two other
rotations of Base64'd "MZ") helps, but (a) you have to make the
signature a lot longer than "TVq", and (b) zip file name lengths can
push the (longer) signature over a Base64 line boundary, and filtering
abruptly becomes a lot harder.

Once you've decided to nuke .exes in all forms, about the only
problematic attachment type that most people would be blocking would be
wav files (because of Klez).  It's the only attachment type we get FPs
on. I should research whether the magic string check is sufficient.

such a "draconian" policy will push mal-ware-writers to
move to other ways of sending their worms - Word macro viruses, Excel
macro viruses, HTML with mal-ware JS and Java code, or whatever
(there's
almost always another hole to exploit).

That's a little like telling everyone to take off their bullet-proof
vests because it'll just encourage poison gas.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg