[rescue] Re: NetApps

Kevin kevin at mpcf.com
Thu Apr 8 12:30:28 CDT 2004

We do SCAN all incoming emails, once with clamav at my email
gateway and then again with Norton A/V for Exchange.  Neither of
which can scan password protected ZIP files.  There are virii
that send themselves out inside of password protected ZIP files. 
The password is written inside the message body of the email and
it instructs the user how to unzip it.  Now it is unbelievable
that some moron user would actually DO what the email tells him
to, but that is NOT my fault, and blocking ZIP files is the best
way we know of to get around this if we are relegated to using MS
OSes in the first place.

The renaming of ZIPs to whatever else, usually means that there
was a line of communication between the sender and the receiver
before the email is received.  This significantly cuts down the
chances that the naming and renaming thing will happen with a
randomly sent virus.  Now you may say that, in time a virus will
be created that sends out randomly named attachments and then
instructs the user to rename the file to ZIP.  This will
certainly happen at some point, but we have to deal with the
resources and options available to us at the time.  There is such
a thing as dealing with what you have, and as much as i love this
list, i believe it could use a good dose of pragmatism at times.


On Thu, 8 Apr 2004 11:39:41 -0400
Phil Stracchino <alaric at caerllewys.net> wrote:

> On Thu, Apr 08, 2004 at 10:17:36AM -0400, Kevin wrote:
> > I do not allow any *.zip files through our mail servers and
> > i'm able to keep my job just fine.  Please enlighten me with
> > your proposed solution to the problem?
> I think the issue here is, "We're worried about viruses and
> trojans, but we're not going to bother actually SCANNING
> attachments, we're just going to block anything that has a .zip
> extension without bothering to check whether the filetype
> actually matches the extension or not, so if you want to
> trivially defeat our pathetic excuse for a security measure,
> just rename your .zip file to .scr or something."

More information about the rescue mailing list