[Esd-l] Finding Legitimate Attachments

Eric Andreychek Eric.Andreychek at rwcwarranty.com
Wed Jan 28 13:42:33 PST 2004

Hash: SHA1


Like everyone else, we're trying hard to fight off the attacks from the
plethora of virii and worms that are wandering about.  We're running anti-virus
software, dropping suspicious attachments, and mangling most of the others.

Lost in that mix is what to actually do about legitimate attachments.  For
example, we have had legitimate needs for users to send or receive exe files.
Since exe files are routinely stripped, our usual response has been to add them
to zip files.  Not everyone is familar with zipping files.  I can help our
users, but explaining the intricacies of zip files to all of our customers is a
bit time consuming.  Still, this has been our best option to date, and I'm
concerned about how to handle the new swarm of viruses found inside zip files.

We could add some people to a whitelist in the procmailrc file, but that's
dangerous -- a user sending us a legitimate exe file today might have a virus
tomorrow, which would come cleanly through if they were whitelisted.

Users could add a special header to an email that needs to bypass the scanner,
but that's equally as dangerous.  They might just permenantly add the header to
all outgoing email, and once again we'd get nailed if they happen to get a

In thinking about how to handle this, I thought about a method some people use
to fight spam -- the challenge-response system.

What if there were a program that, upon seeing potentially harmful attachments,
it could queue the email and notify the sender, asking if they really meant to
send the attachment.

If yes, virus scan it (optionally) and send it through.  If not, delete it.

I can see the following problems:

* It's dependant on the user responding correctly
* It could potentially double the amount of email during a virus breakout

There's probably more disadvantages.

The advantages:

* Users can easily get legitimate attachments that once would have been stripped
* While the potential to double email exists, the potential to lessen email
also exists.  If users don't end up getting viruses, they can't spread them.

There's may be some more advantages.

Are there any thoughts regarding the use of a system like this?  Do you think
the advantages outweigh the disadvantages?

I'm eager to hear your thoughts.  Thanks,

- -- 
Eric Andreychek
Residential Warranty Corporation
(717) 561-4480 x2245
Version: GnuPG v1.2.3 (GNU/Linux)


More information about the esd-l mailing list