Re: blocking .ZIP attachments

[Scott Barker <barker () U WASHINGTON EDU>]

While many here have reported no problems with deleting ZIP attachments,
I personally have a HUGE issue with it.

ZIP files (or actually attachments in general) are frequently high value
items.  In fact the attachment is frequently the most important part of
any given email message.  For a university to delete all attachments of
a given type as part of policy is to me asking for big trouble.  

Let me give you a specific example of a real problem we actually had.  A
faculty member was collaborating with a colleague at a university in
another part of the world on a large research grant with an upcoming
deadline.  That remote colleague sent our faculty member several
critical files that were zipped for inclusion in their grant proposal.  

Our University deletes the ZIP attachment immediately so the faculty
member here does not get the file.  Our faculty member is irate because
she has a deadline and the person she is dealing with is 5 time zones
away.  But no one in the central computer organization seems to care
much since it is considered good security to delete the attachment. 

Now in our case we were lucky because there still were a few days left
before the deadline and the faculty member had time to recover. She
complained a lot and had some delay, but she did make it.  But what if
the original sender had left of vacation, or they were working right up
to the deadline and the files were lost?  Such a thing could have cost
our university MILLIONS of dollars in lost research funding not to
mention the extreme aggravation and loss of productivity such a policy
caused for the faculty member in question.

I also have an issue with it on other grounds.  What would you think if
your university started deleting specific words or paragraphs from the
text of an email message because some network administrator thought they
were not desirable?  That is a scary and slippery slope, yet we justify
doing essentially the same thing in the name of security with
attachments.

I'm sorry, it just isn't necessary when there is a REALLY simple
alternative.

Most of the folks here have said - we tell our users to change the
extension to something else if they really want to get the attachment
through.  So my question is... why don't we just do that automatically
rather than delete them?

Don't delete the ZIP, rename it yourself automatically when the mail is
received.  It has the same benefit and effect as the telling users to do
it, they have less to do and worry about, and there isn't an opportunity
for disaster in the case of a critical ZIP file being deleted when
people aren't aware of your deletion policy in advance.  

Of course the incoming mail scanning software you are using may not have
that ability to rename like it has the ability to delete attachments,
but if that's the case pressure the vendor or look for something else.

That's my two cents but unfortunately I haven't talked the folks on our
end into doing it yet!  ;-)

Scott Barker
Information School
University of Washington

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.