lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200403062106.i26L6EP02039@netsys.com>
From: EddieS at softhome.net (Eddie )
Subject: Re: E-Mail viruses

Curt's suggestion works.  With only 35 email accounts at work, I farm out our email to our web host (FutureQuest) so I don't have to mess with running a server. 
I have had the executable attachments filter turned on from day one (day one == 3 years ago).  You send an exe attachment to someone in the office, it gets 
bounced back with a message to please zip the file and send again. Nobody can receive anything that will run when clicked.   Just this works very well and it has 
cut the viruses down to almost null.  

With MyDoom and others on the rampage, I added zip to the list, and changed it from a bounce to a black hole.  I put out a memo about the rename the extension 
trick.  Not a single complaint and quite a few thank you. We have not gotten one virus since I did this.   I don't plan to do this forever, just until MyDoom and others 
goes down a bit more, and then it's back to the bounce.  

And yes, we have Norton on each client. :) 

Eddie


On Sat, 6 Mar 2004 10:23:30 -0600, Curt Purdy wrote:

>docco wrote:
>> What Curt Purdy is saying looks to me like a
>> great_pain_in_the_ass_solution.
>> In case the "supersecret" extension would get leaked or
>> compromised, which I
>> beleive would be absolutely not hard to achieve (by means of social
>> engineering, sniffing or just brute force - combinations of
>> three letters,
><snip>
>
>Jeese, it's amazing how a thread can get so twisted overnight.  My original
>point was that is was never necessary to hide the proprietary extension and
>it would never need to change.  The purpose of blocking everything but this
>extension, in our case .dps (see, I'm not scared) is to squash 99.999%
>(experience has been 100% so far) of all possible infected attachments
>before it ever gets to our email AV server.  Of course that percentage may
>now drop if some "security expert" on this list decides to rename netsky and
>send it to us.  However that would be a waist of time unless it was a 0-day,
>and I doubt anyone would want to waist that on us.
>
>In addition, it is much easier to train users to change the extension than
>to "not open attachments" because they are self-motivated to do the former
>if they ever want another attachment.  If you try to educate users to do the
>latter, you are just setting yourself up to continually battle the social
>engineering used by virus coders.
>
>While I'm on the subject, just this morning on a nationally syndicated show,
>I heard a piece on the current "virus war" and was amazed when I heard it
>end with "a security expert" say "only open attachments from someone you
>know".  We disabled notifications on our AV server months ago.
>
>Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
>Information Security Engineer
>DP Solutions
>
>----------------------------------------
>
>If you spend more on coffee than on IT security, you will be hacked.
>What's more, you deserve to be hacked.
>-- White House cybersecurity adviser Richard Clarke
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ