[Esa-l]Sircam with application/mixed

Lee Howard faxguy at deanox.com
Thu Aug 2 09:02:34 PDT 2001

At 08:54 AM 8/2/01 -0700, IT Department - CI Holding Group, Inc. wrote:
>At 08:40 PM 7/31/2001 -0600, Lee Howard wrote:
>>Both.  Because of local needs, I do not poison anything based on filename
>>extension, only on complete filename (i.e. "happy99.exe").  And, the
>>antivirus program gives me some reassurance that this should generally be
>>enough.  The sanitizer does a wonderful job of defanging potentially
>>dangerous attachments to our Microsoft Outlook mail client base.  We are
>>fortunate that the user base is intelligent enough to think twice before
>>defanging an attachment to run it.
>I used to think that way as well, until we were hit with some unknown 
>virii.  Luckily, now I do double-extension blocking (per John's filter), 
>and we have prevented Melissa, I Love You, SirCam, Hybris et al.
>I think that if we had not been blocking those patterns, we too would have 
>been a victim of the dreaded "click" that most users do without thinking 
>twice (even w/ training).

If the sanitizer is defanging attachments, then it requires more than just
a "click" to defang and run the attachment.  To me, you'd have to be quite
a bone-head to defang and run an attachment coming from
"hahaha at sexyfun.net"... which, since the av program catches it, will get
/dev/null'd anyway.


More information about the esd-l mailing list