RE: Schedule incoming external mail

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Sun, 22 Aug 2004 23:01:16 -0700

> 1. We do currently block executable attachments but unfortunately this
> happens on the mail server.  I'd need to investigate further into blocking
> at the firewall.  The third layer of antivirus I mentioned is at the
> gateway.  Fortunately we have standardised to a single email client making
> policy setting a lot easier.  Although total attachment blocking is too
> harsh for our business requirements, I could see potential to ramp this up
> either at the firewall (if possible) or using ScanMail attachment
> blocking.

If they are being blocked at the server, that should be fine, unless you are
saying some how users are able to access their e-mail BEFORE the attachments
are blocked.

> 3. On a couple of occasions I've had messages come through to myself
> (latest Bagle and I can't recall the other one).  I only had to look at it
> to see that it was a virus so I set to work to find a scanner that could
> pick it up - on one occasion neither Trend or Symantec did.  I then tried
> a couple of on-line scanners, again with no success.  I believe running
> multiple antivirus is good idea (that's why we're doing it) but it
> certainly isn't a cure-all.

OK, here is a big warning. If a virus is in an encrypted zip file, a virus
scanner WILL NOT SEE THE VIRUS! What they can do eventually is see the
pattern that is used. This would include such things as the image file name
that the password is in, or the file size, or the name of the file within
the zip. Bagle is if I remember the first one that started using encrypted
zip files. This is why when a virus comes out using an encrypted zip, it
takes a lot longer for the AV companies to come out with the definitions.
The software I use will first run the virus scanners against it, and if they
do not report a virus, then can ban the message based on attachment name,
attachment extension, if it is an encrypted zip, if it is a zip and even it
the zip file contains banned attachments.

> One of the other posters made the point of training of users which is
> something I try to strike a balance of letting them know of new virus
> while not doing it so often that see it as a "cry wolf".  Considering the
> vulnerability of antivirus described I see this as probably the greatest
> means of defence.  Our worst "hit" however was the result of someone who
> did know better - what do you do!

Well, I too went through that. The owner of one of my clients received a zip
file in with a forged from address, assumed it must be OK since it was in a
zip, then opened it and ran the hotpictures_scr what ever thinking that some
one sent him pictures, (he always receives pictures as part of jokes, why I
hate the passing of jokes,) and whamo, 12 hours of labor and the network
down for the day and I hope he learned his lesson. Since then, I have a very
strict policy of banning all potentially malicious executable files within
zip files, as well as banning all encrypted zip files. Users are given
inscructions on what to do. Yes, it is work on their part. I have as clients
a printing shop, a bank, a company dealing with medical billing and records,
(Can you say HIPPA?), a financial factoring company, a electronic components
company as well as some resteranunts and individual users, and all of them
agree and thank me for that policy.

John Tolmachoff
eServices For You

Other related posts: