Re: 543.rar attachment

[Jonathan Loh <kj6loh () yahoo com>]

Good luck teaching common sense. 
--- Kinnell <kinnell.t () gmail com> wrote:

> Very true.  However we are not looking to ban people from using e-mail
> as a tool to pass important files; we are looking to keep Tim, the new
> intern from a near college, from opening a stupid e-mail with a "your
> wife knows you watch porn" subject and running a file in there that is
> said to keep your wife from finding out.
>
> The problem is between the keyboard and the seat, not so much on the
> servers, but if we can't teach the users common sense then we need to
> ban all files.  Same goes for so many hot topic items
>
>
> -Kinnell
>
> On Mon, 14 Mar 2005 22:41:44 -0800 (PST), Jonathan Loh <kj6loh () yahoo com>
> wrote:
> > Ok let's have a reality check.
> > Blocking archive files is easy by just writing a simple filter looking for
> > various extensions.  Pruning executable files means you will have to use
> that
> > same filter, open the archive, either extract the whole thing, delete the
> > executables, and repackage the whole thing, or delete the executables in
> place.
> > Everyone can split large application files, or can be taught how, and send
> them
> > to be repackaged.  Ever wonder how TCP and UDP work?
> >
> > --- David J ONEILL <David.J.Oneill () state or us> wrote:
> > > Gee, why not just block ALL email communication.  That would save you
> > > some work too.
> > >
> > > Archive files are a necessary part of communication and very beneficial
> > > in saving bandwidth.
> > >
> > > Let's have a reality check ....
> > >
> > > David J O'Neill
> > > Senior Systems Analyst
> > > State of Oregon
> > > Department of Human Services
> > > Office of Information Services
> > > PH# 503.378.2101 ext. 280
> > > email david.j.oneill () state or us
> > >
> > > > > > Jonathan Loh <kj6loh () yahoo com> 03/14/05 02:21PM >>>
> > > Ok that's a solution.  But what I want to ask you is this.  How much
> > > overhead
> > > does it take to do this?  Blocking archive files would be an easier
> > > method with
> > > little overhead.  Possibly with a reply to sender that your site does
> > > not
> > > accept archive files.
> > > --- Kinnell <kinnell.t () gmail com> wrote:
> > > > On the network I'm a member of we block all exe files sent inside
> > > the
> > > > rar or zip, so even if it is sent the file will be 0byted.  Wouldn't
> > > > that be a better method?  otherwise if you block all bz2, zip, rar,
> > > > etc... then you will block a lot of useful communication
> > > >
> > > > -Kinnell
> > > >
> > > > On Fri, 11 Mar 2005 16:49:16 -0500, adisegna () siscocorp com
> > > > <adisegna () siscocorp com> wrote:
> > > > > Sean, I have to disagree with you. Any file that that can
> > > encapsulate an
> > > > > executable file should be blocked (IMO). ZIP files are one of the
> > > > > biggest carriers of malicious content these days. I don't make it
> > > a
> > > > > habbit of trusting my users no matter how many times they get
> > > trained.
> > > > > RAR extraction tools are not part of the software image policy on
> > > my
> > > > > network so users are oblivious to the file blocking. What is your
> > > > > solution?
> > > > >
> > > > > Thanks
> > > > >
> > > > > AD
> > > > > Information Technology Group
> > > > > Security Identification Systems Corporation
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sean Crawford [mailto:sean01 () accnet com au]
> > > > > Sent: Tuesday, March 08, 2005 9:39 PM
> > > > > To: security-basics () securityfocus com
> > > > > Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> -----Original Message-----
> > > > > ---> From: adisegna () siscocorp com [mailto:adisegna () siscocorp com]
> > > > >
> > > > > ---> Subject: RE: 543.rar attachment
> > > > >
> > > > > ---> I just recently got the same executable inside .rar. I
> > > extracted
> > > > > the
> > > > > ---> dddd.exe and ran a scan on it. Norton Corporate 9.01 didn't
> > > find
> > > > > ---> anything (as of 4 days ago). I wasn't about to double click
> > > this
> > > > > exe on
> > > > > ---> my corporate network. Block the rar extension on your mail
> > > server.
> > > > > --->
> > > > >
> > > > > rar is a valid compression format...blocking it isn't a very good
> > > > > solution.
> > > > >
> > > > > 2 cents.
> > > > >
> > > > > Sean
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Small Business - Try our new resources site!
> > > http://smallbusiness.yahoo.com/resources/
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com