Re: Email virus protection

[Crist Clark]

Dave Howe wrote:
> 
> Crist Clark wrote:
> > Unless your AV software has a clue, like most do, and unzips archives
> > and see what's inside.
> which is ideal for virus scanning, but not for blanket-blocking of email.
> A zipped archive containing an executable cannot (unless something has
> changed that I don't know about) be automatically opened by any mail
> client - the user must make a deliberate attempt to open the archive then
> exectute the attachment (although the actual extraction can be performed
> automatically by many decompression utilities if you double-click an
> executable or document inside its browser)

Automatic opening by Outlook and Outlook Express (I'm not aware of any
other MUAs that have actually had worms in the wild that do this) has
actually only been used by a few worms.

As I mentioned in the original mail, this is how Mimail from a week or
two ago spread. An *.htm (not even "executable," whatever that means
on Windows anymore) was inside of a zip.

> there is of course no allowing for the stupidity of users - but if you
> have a stupid enough user you could induce him to bypass any protection
> anyhow.

AFAIK, the present scurge of the net, Sobig.F, requires the reader to
"click on it." It's not one of those that takes advantage of Outlook or
IE bugs to auto-execute. Most moron^H^H^H^H^Husers do so out of curiousity.
We've been telling them not to do this for several years. They still do
it. Face it, they are never going to stop doing it.

I don't want the users to be able to "click-through" to execute the file,
whether it is one or two steps. It's too easy for the curious. My goal is
to have the ones who _really_ want to get a "forbidden" extension through
the system need to actually *gasp* use the keyboard to rename the file!
That means they have to save the mangled name to a file, rename it back,
and then "run" it. Ju-ust that little bit of effort is enough to stop 
several nines of the curious. I remember wa-ay back in the Melissa days,
before AV email gateways were widely used, implementing MIMEdefang which
did these simple things. That was, and still is, enough to stop an awful
lot of this junk.

Similarly, if someone wants to zip some things up, mangle the zip extension,
and the then send it on through, it's OK with me. That's enough to stop
the curious.
-- 
Crist J. Clark   [EMAIL PROTECTED]

Re: Email virus protection

[Dave Howe]

Crist Clark wrote:
> Unless your AV software has a clue, like most do, and unzips archives
> and see what's inside.
which is ideal for virus scanning, but not for blanket-blocking of email.
A zipped archive containing an executable cannot (unless something has
changed that I don't know about) be automatically opened by any mail
client - the user must make a deliberate attempt to open the archive then
exectute the attachment (although the actual extraction can be performed
automatically by many decompression utilities if you double-click an
executable or document inside its browser)
there is of course no allowing for the stupidity of users - but if you
have a stupid enough user you could induce him to bypass any protection
anyhow.

Re: Email virus protection

[Crist Clark]

Jack Bates wrote:
> 
> Stephen J. Wilcox wrote:
> 
> > We dont filter by file type.. people do send exe's legitimately!
> >
> 
> You can zip the exe, or you can rename the exe, or you can ask not to
> have exe's filtered at all.
> 
> Sometimes solutions can be simple.

Unless your AV software has a clue, like most do, and unzips archives and
see what's inside.

And thank goodness they do or else the Mimail (with its message.zip
attachment) could have been worse.
-- 
Crist J. Clark   [EMAIL PROTECTED]

Re: Email virus protection

[Jack Bates]

Stephen J. Wilcox wrote:
Just like what some viruses do you mean?

A zipped virus or a renamed virus to say exd or dat is less likely to 
get an infection hold than .pif, .bat, or .exe

-Jack

Re: Email virus protection

[Stephen J. Wilcox]

On Thu, 21 Aug 2003, Jack Bates wrote:

> Stephen J. Wilcox wrote:
> 
> > We dont filter by file type.. people do send exe's legitimately!
> > 
> 
> 
> You can zip the exe, or you can rename the exe, or you can ask not to 
> have exe's filtered at all.

Just like what some viruses do you mean?

Steve

Re: Email virus protection

[Jack Bates]

Stephen J. Wilcox wrote:

We dont filter by file type.. people do send exe's legitimately!



You can zip the exe, or you can rename the exe, or you can ask not to 
have exe's filtered at all.

Sometimes solutions can be simple.

-Jack

Re: Email virus protection

[Stephen J. Wilcox]

On Wed, 20 Aug 2003, Christopher J. Wolff wrote:

> 
> Hello,
> 
> What is the most common method for providing virus protection for your
> hosted email customers?  Thank you in advance.

None, we only protect those customers who additionally pay for our antivirus 
services. 

These services comprise of systems which decode the mime, unzip, untar, unarc
(etc) and then run any files thro commercial virus checker engines which are 
updated automatically daily or manually in the case of a new emerging threat 
that cant wait.

We dont filter by file type.. people do send exe's legitimately!

Steve

Re: Email virus protection

[Valdis . Kletnieks]

On Wed, 20 Aug 2003 17:49:07 PDT, chuck goolsbee <[EMAIL PROTECTED]>  said:

> majority. My nanog list mail account got joejobbed by the 
> "Netscalibur" user, both as sender and receiver (supposedly from 
> Valdis Kletnieks, and somebody at NetSol.) and I've never seen what 
> an Outlook mail client looks like. =)

Erm.. wasn't me.. though so far I've had 1,787 of the suckers show up in my
personal mailbox.  Fortunately, they were defanged by our Mirapoints, so they
were only 2K rather than 80K each ;)

Meanwhile, I've had 52 "You sent us a virus" bounces.  I'm pretty sure this
Linux laptop didn't do it. ;)

My favorite so far?  Had to be the site whos spamfilter said this:

===
Original headers follow
===
Received: from localhost [127.0.0.1] by secure.*.com
with SpamAssassin (2.60-cvs 1.195-2003-06-30-exp);
Wed, 20 Aug 2003 10:36:51 -0600
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: XXXSPAMXXX Re: Wicked screensaver
Date: Wed, 20 Aug 2003 9:54:21 --0700
X-Spam-Level: *
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_3F43A3A3.11294FF5"

Yep.. point the gun *straight* up, pull the trigger, wait, and then wonder what
that little thing coming straight at you is... ;)




pgp0.pgp
Description: PGP signature

Re: Email virus protection

[Petri Helenius]

> 
> Perhaps, Outlook is a secure and performant email solution - in, say, 3
> to 4 years from now, but this means a drastic change of course for the
> vendor.
> 
In other news microsoft announced that they stopped development on 
Outlook Express.

Pete

Re: Email virus protection

[JC Dill]

Warning, this is an off-topic rant about client software and the state of 
the world WRT Windows and Linux.  There is zero operational content in this 
post.

At 06:07 PM 8/20/2003, Lou Katz wrote:

On Wed, Aug 20, 2003 at 03:46:48PM -0700, JC Dill wrote:
>
> At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote:
>
> >There's quite a lot of usable stuff out there. Many Win32 users have
> >switched to Mozilla which seems to solve 100% of the Outlook-specific
> >attacks which account for... hmmm... 100% of the malicious email
> >messages of the last 6 months.
>
> Unfortunately, that's not true.  My father has to use Windoze because
> several software programs for his industry (Real Estate, specifically
> managing rentals) only come in Windoze flavors.  He stays away from M$
> client software whenever possible and was using Mozilla for email (until
> yesterday, I'm getting him started on Eudora).  His email software doesn't
> automatically open attachments for him.
For some (but not all folks), you can run such software on a Windows
virtual machine (I use Win4Lin) under a Unix or Linux OS. That might
be an attractive and not very expensive solution for the above.
He needs to be able to automatically and easily move data between all his 
programs.  It's not at all unusual for him to scan a document with 
PaperPort, then export it to Acrobat, then attach it to email and 
send.  Then he needs to automatically accept a fax and transfer it into 
PaperPort, so incoming faxes come in with WinFaxPro.   Then he needs to 
transfer data from an email into Homeworks, or Promas.  Then he needs to 
type up a document in WordPerfect (grabbing the address data from his Palm 
software), send attached to an email, also attaching a document just 
received via fax or just scanned.  Typically he has 6 or more programs all 
open at once.  We just upgraded the RAM so that his computer could handle 
all this in native Windows2k.

He (which means me, when he has problems) has enough trouble getting 
everything working nice/nice under Windows.  It would be impossible to get 
it all working seamlessly with some of these applications in Windows inside 
Linux and others inside Linux itself.  If we aren't running at least 1/2 of 
his applications under Linux itself, I don't see much purpose in running 
Linux at all.

Is there a Linux program that does what WinFaxPro does (booting at startup, 
automatically answering incoming faxes, saving in a format that can be 
exported to Acrobat or PaperPort, automatically forwarding a copy of the 
fax via email)?  Is there a Linux program that does what PaperPort does 
(scanning and filing all paperwork, then saving the file thru Acrobat or 
Photoshop, transferring to email or fax or OCR and into WP)?

I'm quite sure that there aren't any Linux programs like Homeworks or 
ListTrak or Promas (all Real Estate speciality programs required for his 
business).

So at most, he can use Linux with the Palm software (maybe), a browser 
(he's already using Mozilla under Win2K, so this isn't a big gain) an email 
client (he's using Eudora now, and I don't believe they have a Linux 
version), and Star Office (maybe, if it doesn't crash) for a WordPerfect 
solution.  Except that he really needs to migrate *off* WP and onto Word 
because he needs to send and receive docs in the format everyone else uses 
(Word, unfortunately).  In many cases he'd have to pay to buy new Linux 
versions of software he has already purchased for Windows (like Acrobat, 
Word, Norton Antivirus or the equivalent, with update license) even though 
some equivalent applications can be had for free (Gimp for 
Photoshop).  Then there's the learning curve, I'm sure that Gimp doesn't 
work *exactly* like Photoshop, he will have to learn to do things 
differently.  And this assumes all his RE software will run in a Win4Lin 
environment.  Can you say "the vendor doesn't support that" boys and 
girls?  :-(  Yeah, I thought you could.  A support tech drove from San Jose 
to Monterey yesterday to install a ListTrak because they have problems 
installing it on Win2K systems with SP4.  There's NFW they would support 
any of these programs if they were installed under Win4Lin or if we had 
problems with them running under Win4Lin but they run fine in Windows2k itself.

Oh, and he needs to be able to print from all programs to the HP 3330, 
which is directly connected to the desktop computer and accessed by the 
laptop as a Windows network printer.  Due to program driver weirdness 
(particularly with Promas) he has two different instances of this printer 
installed with two different drivers, he uses one version for some 
programs, the other version for the others.

The there's the hardware.  His desktop box is a el cheapo Compaq Presario 
desktop computer with 2 different CD drives (one reads, one reads and 
writes) with an internal zip drive and internal floppy.  It also has a 
modem (months ago I replaced the crappy win-modem with a real one so that 
WinF

Re: Email virus protection

[Lou Katz]

On Wed, Aug 20, 2003 at 03:46:48PM -0700, JC Dill wrote:
> 
> At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote:
> 
> >There's quite a lot of usable stuff out there. Many Win32 users have
> >switched to Mozilla which seems to solve 100% of the Outlook-specific
> >attacks which account for... hmmm... 100% of the malicious email
> >messages of the last 6 months.
> 
> Unfortunately, that's not true.  My father has to use Windoze because 
> several software programs for his industry (Real Estate, specifically 
> managing rentals) only come in Windoze flavors.  He stays away from M$ 
> client software whenever possible and was using Mozilla for email (until 
> yesterday, I'm getting him started on Eudora).  His email software doesn't 
> automatically open attachments for him.

For some (but not all folks), you can run such software on a Windows
virtual machine (I use Win4Lin) under a Unix or Linux OS. That might
be an attractive and not very expensive solution for the above.

> 
> jc

-- 
-=[L]=-

Re: Email virus protection

[chuck goolsbee]

To answer the original question asked...

At 10:50 -0700 8/20/03, Christopher J. Wolff wrote:
What is the most common method for providing virus protection for your
hosted email customers?  Thank you in advance.


We use a layered approach, with Postini being the front line ...they 
do an *excellent* job, and we - and our clients - love them.

We forced all the (mail) domains we host to use Postini about a year 
ago when our mail servers came under some serious directory harvest 
attacks. We allow clients to opt-out of the spam filtering if they 
want, but still run the mail through Postini's system anyway to stop 
directory harvest and virus attacks. Postini can be set to filter, 
but not quarantine, which looks to our opt-out clients like no 
filtering but still saves our mailservers from most assaults.

Second layer is some nice configuration options on our 
customer-facing mail servers, which run CommunigatePro from Stalker.

CGP is as full featured as Exchange, but without the BS. Plus it has 
the added benefit of actually working as advertised, and can be run 
on virtually *any* platform. The suits like the buzzword-compliance 
and the fact that it is commercially supported (excellent support too 
I'll add.) The geeks like it because it *works*... and on any 
platform they choose.



The last layer is of course the hardest to control, as it is out of 
our hands and in the client's, but we strongly suggest that they use 
a mail client that doesn't auto-execute code.

Myself, I use Eudora on my PowerBook running OS X. I know that 
doesn't make me somehow immune to everything... just the vast 
majority. My nanog list mail account got joejobbed by the 
"Netscalibur" user, both as sender and receiver (supposedly from 
Valdis Kletnieks, and somebody at NetSol.) and I've never seen what 
an Outlook mail client looks like. =)



I have to agree with Mr. Donelan who said here:
"(Microsoft) Outlook, the exploding Pinto on the information superhighway."


Regards,
--
Chuck Goolsbee  V.P. Technical Operations
_
digital.forest  Phone: +1-877-720-0483, x2001
where Internet solutions grow  Int'l: +1-425-483-0483
19515 North Creek ParkwayFax: +1-425-482-6871
Suite 208   http://www.forest.net
Bothell, WA 98011email: [EMAIL PROTECTED]

Re: Email virus protection

[JC Dill]

At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote:

There's quite a lot of usable stuff out there. Many Win32 users have
switched to Mozilla which seems to solve 100% of the Outlook-specific
attacks which account for... hmmm... 100% of the malicious email
messages of the last 6 months.
Unfortunately, that's not true.  My father has to use Windoze because 
several software programs for his industry (Real Estate, specifically 
managing rentals) only come in Windoze flavors.  He stays away from M$ 
client software whenever possible and was using Mozilla for email (until 
yesterday, I'm getting him started on Eudora).  His email software doesn't 
automatically open attachments for him.

He knows better than to manually open random attachments that don't look 
like something business like, but a few weeks ago one caught him during the 
vulnerable period (after the virus started making the rounds, before he had 
updated the virus definitions) and managed to pretend to be a type of file 
he *does* expect in his day to day business (an "application" 
attachment).  Oops.

Now he finally *really* understands why I'm adamant about frequently 
updating the virus definitions (I presently have his antivirus software set 
to check for updates every 4 hours) and having a strong firewall, and not 
loading unnecessary applications on his work computer.

jc

Re: Email virus protection

[just me]

On Thu, 21 Aug 2003, Karsten W. Rohrbach wrote:

  Mutt and similar MUAs are prone to misconfiguration, which makes them
  vulnerable to some degree, but this fact alone does not expose enough
  surface for implementation of an internet-wide worm attack ;-)

So you are saying that all MUA's are prone to vulnerabilities through
misconfiguration, and the reason for Outlook's prominence is simply
its larger installed base? If so, I completely agree with you.

  In end-user application design, finding the right mix between security
  and and convenience (which tend to be mutually exclusive, in one way or
  the other) is a critical design decision.

  You get the point.

Indeed. I certainly wish Outlook was shipped with more sane settings.


  > I completely agree. Which is why I discourage people from using
  > Outlook Express as well as Mutt.

  So the interesting question in context of this email thread is: what do
  you encourage them for?

My brother has used MH for the last 20 years or so, without ill
effect. However, I believe it was also vulnerable in '97 because of
its inclusion of metamail functionality.

I've been impressed with Ximian's Evolution, but have no false hopes
for its intgrity in the face of malicious content.

There certainly is no universal best mail client. If I encourage
anything, its to use the client folks are most comfortable with.

  Regards,
  /k

matto

[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include 

Re: Email virus protection

[Karsten W. Rohrbach]

just me([EMAIL PROTECTED])@2003.08.20 14:41:02 +:

> Please don't pretend that your MUA-de-jour is somehow invulnerable by
> design, unless you've audited every line of code yourself.

I don't.

Mutt and similar MUAs are prone to misconfiguration, which makes them
vulnerable to some degree, but this fact alone does not expose enough
surface for implementation of an internet-wide worm attack ;-)

Perhaps, Outlook is a secure and performant email solution - in, say, 3
to 4 years from now, but this means a drastic change of course for the
vendor.

In end-user application design, finding the right mix between security
and and convenience (which tend to be mutually exclusive, in one way or
the other) is a critical design decision.

You get the point.

>   On a different angle, the apparent problem of a software product being
>   vulnerable to an exploit is not solved by deploying a - albeit
>   well-patched - application monoculture worldwide. Risk is lowered by
>   using more well-designed software packages out there. Diversity is the
>   name of the game, it's nature's solution and it seems to work quite
>   well.
> 
> I completely agree. Which is why I discourage people from using
> Outlook Express as well as Mutt.

So the interesting question in context of this email thread is: what do
you encourage them for?

Regards,
/k

-- 
> Horngren's Observation:
> Among economists, the real world is often a special case.
webmonster.de -- InterNetWorkTogether -- built on the open source platform
http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/
GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

Re: Email virus protection

[just me]

On Wed, 20 Aug 2003, Karsten W. Rohrbach wrote:

  just me([EMAIL PROTECTED])@2003.08.20 14:17:17 +:
  >
  > http://www.cert.org/advisories/CA-1997-14.html
  > http://www.cert.org/advisories/CA-1998-10.html
  >
  > Wow, the second one even mentions Mutt by name.

  The more recent of those two advisories is dated August 11, 1998.
  What are you trying to express, by citation of those pretty outdated
  CERT advisories? If you are trying to imply that software does not
  improve in a time frame of five years, go ahead and convince me. =)

It's happened before, it'll happen again. Please don't pretend that
your MUA-de-jour is somehow invulnerable by design, unless you've
audited every line of code yourself.

  On a different angle, the apparent problem of a software product being
  vulnerable to an exploit is not solved by deploying a - albeit
  well-patched - application monoculture worldwide. Risk is lowered by
  using more well-designed software packages out there. Diversity is the
  name of the game, it's nature's solution and it seems to work quite
  well.

I completely agree. Which is why I discourage people from using
Outlook Express as well as Mutt.

matto

[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include 

Re: Email virus protection

[Karsten W. Rohrbach]

just me([EMAIL PROTECTED])@2003.08.20 14:17:17 +:
> 
> http://www.cert.org/advisories/CA-1997-14.html
> http://www.cert.org/advisories/CA-1998-10.html
> 
> Wow, the second one even mentions Mutt by name.

The more recent of those two advisories is dated August 11, 1998.
What are you trying to express, by citation of those pretty outdated
CERT advisories? If you are trying to imply that software does not
improve in a time frame of five years, go ahead and convince me. =)

On a different angle, the apparent problem of a software product being
vulnerable to an exploit is not solved by deploying a - albeit
well-patched - application monoculture worldwide. Risk is lowered by
using more well-designed software packages out there. Diversity is the
name of the game, it's nature's solution and it seems to work quite
well.

Regards,
/k


-- 
> Zero Defects, n.: The result of shutting down a production line. 
webmonster.de -- InterNetWorkTogether -- built on the open source platform
http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/
GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

Re: Email virus protection

[just me]

On Wed, 20 Aug 2003, Karsten W. Rohrbach wrote:

  Some switched to Mac. Many UNIX users are on mutt or similar MUAs which
  do not bear the potential for execution of arbitrary code.

http://www.cert.org/advisories/CA-1997-14.html
http://www.cert.org/advisories/CA-1998-10.html

Wow, the second one even mentions Mutt by name.


[EMAIL PROTECTED]<
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include 

Re: Email virus protection

[Karsten W. Rohrbach]

Jack Bates([EMAIL PROTECTED])@2003.08.20 15:49:01 +:
> 
> That's what the net admin was telling me when I mentioned one of his 
> branch bank offices had Sobig-F. Apparently they all run A/V and I think 
> he said his mail server does as well. Unfortunately, they still allow 
> executables in.

The problem is the false sense of security while using anti-virus
products. For having a working signature, somebody has to be hit first
and submit the virus to the AV vendor. This requires a certain time,
which leads - in case of the latest womr occurences which appear to be
pretty aggressive - to a certain amount of infections that happen before
there are signatures available. And then, the update still has to be
downloaded to the AV scanning software which extends the time window
being unprotected against a certain worm or virus variant.

So, the virus and worm authors are always one step ahead. This is by
design of the AV concept.

Better put the wasted cash and time into the design of better systems,
which brings the software developers this critical one step in the lead.

Due to what obscure reason does a mail user agent have to execute
interpreted code and do unasked things to mail attachments, nowadays?

Regards,
/k

-- 
> Those who do not understand Unix are condemned to reinvent it, poorly. 
> --Henry Spencer 
webmonster.de -- InterNetWorkTogether -- built on the open source platform
http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/
GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

Re: Email virus protection

[Karsten W. Rohrbach]

Christopher J. Wolff([EMAIL PROTECTED])@2003.08.20 10:50:55 +:
> 
> What is the most common method for providing virus protection for your
> hosted email customers?  Thank you in advance.

Making them switch to a software product that does not auto-execute
arbitrary chunks of code that come in via some network connection.

Ok, you got me, it is not the most common method "out there", but the
most common method for my customers ;-)

There's quite a lot of usable stuff out there. Many Win32 users have
switched to Mozilla which seems to solve 100% of the Outlook-specific
attacks which account for... hmmm... 100% of the malicious email
messages of the last 6 months.

Some switched to Mac. Many UNIX users are on mutt or similar MUAs which
do not bear the potential for execution of arbitrary code. Sure, this
does not apply for Exchange-driven installations that require Outlook,
but there are also alternatives available. Deployment cost causes a
certain lack of motivation to get rid of Exchange, but if you calculate
a potential impact of Microsoft worms and viruses (virii?) in terms of
damage to the company's data and infrastructure and also credibility,
it's worth it, quite often.

A bit more on the philosophical side of things, the international press
and media - and many people reading or watching those media - mix up the
terms "internet threat", "Microsoft-specific threat" and
"Outlook-specific threat" which leads to a totally twisted perspective
of the current events.

Fact is, that there's a broad base of installed and Microsoft-driven PCs
which are vulnerable. Customers often realize this after you explain it
to them step-by-step and they seem very happy with their new knowledge
about what actually caused the vulnerability of their company and
information infrastructure. Some of them - call them brave - take
immediate action and implement fallback or alternative solutions.

Regards,
/k

-- 
> Parts that don't exist can't break. --Russell Nelson 
webmonster.de -- InterNetWorkTogether -- built on the open source platform
http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/
GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

Re: Email virus protection

[Jack Bates]

John Palmer wrote:
Hey - they aren't supposed to be using their work e-mail for stuff
other than work - especially in a banking environment. 

I would be unhappy if my bank did not exclude executables from 
outside e-mail.

That's what the net admin was telling me when I mentioned one of his 
branch bank offices had Sobig-F. Apparently they all run A/V and I think 
he said his mail server does as well. Unfortunately, they still allow 
executables in.

I won't be using that bank.

-Jack

Re: Email virus protection

[John Palmer]

Hey - they aren't supposed to be using their work e-mail for stuff
other than work - especially in a banking environment. 

I would be unhappy if my bank did not exclude executables from 
outside e-mail.

Again, ITS YOUR EMPLOYERS NETWORK, NOT YOURS.

- Original Message - 
From: "Gary E. Miller" <[EMAIL PROTECTED]>
To: "Jack Bates" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, August 20, 2003 14:29
Subject: Re: Email virus protection


> 
> Yo Jack!
> 
> On Wed, 20 Aug 2003, Jack Bates wrote:
> 
> > The best method for protection of your network (by limiting exposure of
> > your users to viruses) is to strip executable files. We replace the
> > files with a small text file mentioning the filename and a brief
> > description of why we stripped it and who to contact if they need the file.
> 
> I love guys like you.  All my customers once had (still have) admins
> that filtered and cleaned their email for them.  Also added
> firewalls for their protection.  Now they are my customers because they
> do not want your protections.
> 
> What you are doing is certainly proper in some cases.  I would hope
> BofA learned that lesson after the last worm attack that killed their
> ATM network.  That also means a lot of bank employees need to also have
> an ISP account from me to do things they can not do with their email on
> the job.
> 
> RGDS
> GARY
> ---
> Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
> [EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676
> 
> 
> 

Re: Email virus protection

[Jack Bates]

Gary E. Miller wrote:

I love guys like you.  All my customers once had (still have) admins
that filtered and cleaned their email for them.  Also added
firewalls for their protection.  Now they are my customers because they
do not want your protections.
I never understood ISPs that can apply a filter but not make an 
exception. All my filters, network and service level, have exclusions. 
The filters are designed to protect the network from the users. Less 
than 0.1% of my users do not want such protections, and those users are 
cleared of them.

In the last 3 days, I have received over 50 thankyou emails from 
customers concerning Sobig-F stripping. One user said that they wanted 
off filtering because they updated their anti-virus definitions once a 
week and that they were expecting an email from someone, but I'd 
stripped the attachment. It turns out that the user hadn't updated since 
Sobig-F released 2 days ago and since the from address was something he 
was looking for, he would have run the executable I'd stripped. I 
informed him that the file was viral, and he informed me that he'd like 
to keep the filtering. This is normal of most requests.

I will agree with you that there are many networks that deploy filtering 
and do not work with the customer concerning the filtering. To do so is 
poor business practice in my opinion. The problem isn't the filtering. 
It is the lack of contact with the customer.

-Jack

Re: Email virus protection

[Gary E. Miller]

Yo Jack!

On Wed, 20 Aug 2003, Jack Bates wrote:

> The best method for protection of your network (by limiting exposure of
> your users to viruses) is to strip executable files. We replace the
> files with a small text file mentioning the filename and a brief
> description of why we stripped it and who to contact if they need the file.

I love guys like you.  All my customers once had (still have) admins
that filtered and cleaned their email for them.  Also added
firewalls for their protection.  Now they are my customers because they
do not want your protections.

What you are doing is certainly proper in some cases.  I would hope
BofA learned that lesson after the last worm attack that killed their
ATM network.  That also means a lot of bank employees need to also have
an ISP account from me to do things they can not do with their email on
the job.

RGDS
GARY
---
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
[EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676

Re: Email virus protection

[Jack Bates]

Christopher J. Wolff wrote:

Hello,

What is the most common method for providing virus protection for your
hosted email customers?  Thank you in advance.
The best method for protection of your network (by limiting exposure of 
your users to viruses) is to strip executable files. We replace the 
files with a small text file mentioning the filename and a brief 
description of why we stripped it and who to contact if they need the file.

I recommend executable stripping before virus scanning in all cases. 
Virus scanning is still vulnerable to startup viruses (Sobig-F could 
have infected numberous users before the dat files update).

-Jack

RE: Email virus protection

[Todd Mitchell - lists]

| -Original Message-
| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
| Christopher J. Wolff
| Sent: Wednesday, August 20, 2003 1:51 PM
| To: [EMAIL PROTECTED]
| Subject: Email virus protection
| 
| 
| Hello,
| 
| What is the most common method for providing virus protection for your
| hosted email customers?  Thank you in advance.

We filter the normal "bad attachment stuff" right off the bat:

ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md
[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]

and as we see fit, we add system wide filters for specific viruses,
trojans, etc.  Customers are notified when additional filters are
added/removed.

Todd

--

| 
| Regards,
| Christopher J. Wolff, VP CIO
| Broadband Laboratories, Inc.
| http://www.bblabs.com
| 
|