Educause Security Discussion mailing list archives
Re: blocking .ZIP attachments
From: Scott Barker <barker () U WASHINGTON EDU>
Date: Fri, 20 Aug 2004 21:41:33 -0700
While many here have reported no problems with deleting ZIP attachments, I personally have a HUGE issue with it. ZIP files (or actually attachments in general) are frequently high value items. In fact the attachment is frequently the most important part of any given email message. For a university to delete all attachments of a given type as part of policy is to me asking for big trouble. Let me give you a specific example of a real problem we actually had. A faculty member was collaborating with a colleague at a university in another part of the world on a large research grant with an upcoming deadline. That remote colleague sent our faculty member several critical files that were zipped for inclusion in their grant proposal. Our University deletes the ZIP attachment immediately so the faculty member here does not get the file. Our faculty member is irate because she has a deadline and the person she is dealing with is 5 time zones away. But no one in the central computer organization seems to care much since it is considered good security to delete the attachment. Now in our case we were lucky because there still were a few days left before the deadline and the faculty member had time to recover. She complained a lot and had some delay, but she did make it. But what if the original sender had left of vacation, or they were working right up to the deadline and the files were lost? Such a thing could have cost our university MILLIONS of dollars in lost research funding not to mention the extreme aggravation and loss of productivity such a policy caused for the faculty member in question. I also have an issue with it on other grounds. What would you think if your university started deleting specific words or paragraphs from the text of an email message because some network administrator thought they were not desirable? That is a scary and slippery slope, yet we justify doing essentially the same thing in the name of security with attachments. I'm sorry, it just isn't necessary when there is a REALLY simple alternative. Most of the folks here have said - we tell our users to change the extension to something else if they really want to get the attachment through. So my question is... why don't we just do that automatically rather than delete them? Don't delete the ZIP, rename it yourself automatically when the mail is received. It has the same benefit and effect as the telling users to do it, they have less to do and worry about, and there isn't an opportunity for disaster in the case of a critical ZIP file being deleted when people aren't aware of your deletion policy in advance. Of course the incoming mail scanning software you are using may not have that ability to rename like it has the ability to delete attachments, but if that's the case pressure the vendor or look for something else. That's my two cents but unfortunately I haven't talked the folks on our end into doing it yet! ;-) Scott Barker Information School University of Washington ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: blocking .ZIP attachments, (continued)
- Re: blocking .ZIP attachments John C Borne (Aug 19)
- Re: blocking .ZIP attachments Davis, Thomas R. (Aug 20)
- Re: blocking .ZIP attachments Theresa M Rowe (Aug 20)
- Re: blocking .ZIP attachments Jim Bollinger (Aug 20)
- Re: blocking .ZIP attachments F.L.Ferreri (Aug 20)
- Re: blocking .ZIP attachments Matthew Keller (Aug 20)
- Re: blocking .ZIP attachments Cal Frye (Aug 20)
- Re: blocking .ZIP attachments Jenny Gluck (Aug 20)
- Re: blocking .ZIP attachments Michael_Maloney (Aug 20)
- Re: blocking .ZIP attachments Jeffrey I. Schiller (Aug 20)
- Re: blocking .ZIP attachments Scott Barker (Aug 20)
- Re: blocking .ZIP attachments Lucas, Bryan (Aug 20)