Printable View
I work at my local ISP and we here are talking about filtering out all EXE attachments. If someone wants to send an EXE file they will have to zip it up. This, we belive, will give the receiver more time to scann the file before opening it up.
Do You This We Should Filter EXE Files Or Is To Too Much Of Use To Ask Our Customers To Zip Them Up?
Well if you are talking home users you would be wasting your time really. If they could not get the file or did not know how to Zip it they's set up a temp email account for free and say send it here and if under 3 megs one click and the infection starts. As a pro admin I can block just about anything arriving email and catch the rest with virus scanners. I cannot however block lame users going to a free email account, and then downloading it. Forget and ISP hey have IM, IRC also. There is no cure for lame users especally when M$ touts their software as being secure. Is really to much to ask of end users unless say they loose their connect because of setting loose an infection or have an unsecure. As an ISP do you premote uses of virus scanners and say firewalls. Give lame users these by default or at least make them very aware of it.
im with pale moon on this one.
if you decide to do this you better beef up you support staff cause you'll be swamped with calls. "what happened to my file?" and i really don’t think its a service providers place to do this unless you have software like aol that zips/unzips things automatically and want to cater to the computer illiterate.
Working for an ISP before I understand both sides of it. #1 block .exes that would stop calls from the morons that call in all day long talking about I got a virus you are my ISP and you should be cleaning them out for me. Trust me I have had plenty of those lusers. Then you get the people that know what they are doing and take precautions and we don't want someone telling us that we NEED to zip our files even though we might do this ourselves. It is a lose lose situation but ISP's always have people that are not technically savvy reviewing their operation and they are the ones that come up with this stupid stuff but to the luser it may sound like a great idea.
Not a good idea for ISPs to block exe in mail. Its gonna result in a shitload more calls by their end users. I think a better idea would be to offer the service to users and allow them to choose if they want it. Then at least you can always say that the user has signed for it and thus the exe has been blocked.
I'm with r8devil on this one..
It's easy to configure it in a way users can select how they want their mail to be filtered..
try procmail
http://www.impsec.org/email-tools/pr...-security.html
you could also use mangled ("defanged") attachment filenames,
this could get you a lot of user calls.. but they will be safe from virii
and will still be able to get them (damned) exe attachments..
http://www.impsec.org/email-tools/sa...-unmangle.html
Tricky one that:
- As an ISP it's generally your responsibility to provide users with a correct, working, unfiltered internet connection. Some users could consider filtering email to be a fault.
- But of course .exes in email aren't really that useful
- But people do send them sometimes legitimately
If you filter exes, you may as well filter out dozens of other file types often used by worms too, and put in a rule which throws anything which looks like an mz exe away (even if it isn't called .exe)
Ideally you'd have the filters turned on by default, and provide the user an option to turn it off.
Also, if you do remove an attachment from an email, add a text file explaining why the attachment was removed and telling them how to get it not removed.
Another consideration on this one is self-extracting zipfiles.
I sometimes send files to my parents and they are totally clueless when it comes to software. So instead of trying to explain to them what zip means, I just create a self-extracting zipfile, and tell them to double-click on it.
(But then, I've also installed firewall and anti-virus software on their PC).
It's a tough choice, being a service provider.
Cheers,
BrainStop
I agree that blocking .exe .doc and .xls files are a mistake. We tried it briefly and quickly stopped it. I do not think, though there is anything wrong with block .pif, .vbs, .scr, and .bat from coming through. They are nonstandard for the average user to send, and those people who are sending them are technical enough that if you explained your reasoning, would agree.
A good solution is a package like exim and create mail filters via exim. Here you can block out files with those extensions and also create custom filters for certain .exe's that you know are virii currently being sent through the internet.
Grinler
we offer a serrvice called spamzapper, what it does is creat a folder called spam and most of the spam you receive goes there instead of your inbox. What we wanted to do is all another to it's rules that will also send the EXE's and not the message to that folder.
When they view their message it will display a message like:
--------------------------------------------------------------------------------------------
Attachment May Have Contained A Virus And Was Sent To SPAM folder
--------------------------------------------------------------------------------------------
Would This Be A Good Idea? It Should Cut Back On The Spreand Of Most E-Mail Virii
Or Sould We just Tell Them To Buy A Good AV w/ E-mail Protection?
Well not sure really how to respond...
If it was any type of company besides an ISP - I'd definatly say that its a good idea. As an ISP though, some end users may consider it a 'problem' and even go so far as deciding to not use that ISP for that reason alone...
Again, if not and ISP, it would be a good idea - in my opinion... A couple years ago we started filtering out all exe, bat, scr, doc, vbs, and probably a few others. For the first couple weeks we had people questioning it and complaining. But since then we've gone from an average of 1 virii infection per month to now running 18plus months without a single infection...
The main thing to make sure, if you do filter them out, is to only filter out the attachment and leave the email intact, preferably with a note/comment added to it stating that the attachment was removed. That way people still get all their messages, and they are alerted to attachments being removed - so that they know about it should they need to find another way to transfer it...
RRP
You should always tell them that overall they are responsible for the upkeep of their computers. So yes always encourage an up to date antivirus and a firewall. That would be something good though you don't delete the emails just send them to a different folder so they are aware that they need to be careful when they open it. But let them know that it went there because if it gets deleted as a false positive for spam then your ISP is in trouble when someone in a business decides they are sending attachments. Trust me it happens you get some bigshot that doesn't know his a$$hole from a hole in the ground complaining but doesn't know what he did or didn't read the whole thing.
bpiedlow's idea is quite good as my company uses the same method to block attachment that we consider unsafe. The attachment is removed but the mail goes thru without the attachment but with a note informing the user what has happened and this doesnt alarm the user too much bcod they know whats happening and can find some other way to get the transfer done. But for an ISP this might not work as there are lots of dumbass users out there who are gonna complain and bitch about it and they are gonna flood your helpdesk with calls. All depends on what you would rather have: people complaining that their attachments are not going thru or people complaining that their system is infected by viruses. Its something for higher managemtn to decide cos it all depends on which one you would consider would waste more resources trying to solve and explain to the user.
Moving it into a spam folder with an indication that the mail might be infected leaves it up to the user. Its much easier to explain this way.
Just checking on the thread. Again the ISP function is the transport layer, nothing more or less just like a dial tone on the phone. When was the last time your Telephone Company took it upon them selves to cut those pesky telemarketers? Why should an ISP take on this role? An ISP would have happy campers if they did not sell that same transport layer to like the telephone company Marketers it makes them $$. So lets look then at the problem the two lates blended threats Mimail and Blaster, only 50% of the problem was caused by email, and checking known facts Mimail was and is being developed by someone working on viral marketing next release expected soon. The second exploit needed no response (Blaster from the user) no patch they became infected, and I feel again this has someting to do with money and programs to market something. Blaster looked for a web site to download other things and what better deversion then a DDOS attack on M$ but it looking at the code could have been the latest virgra replacement company.
So blocking an EXE is not going to do squat in todays online world as long as M$ with 90% of all Desktops and all their flaws reside and are Marketed as "Trustworthy Computing" change. I manage a small network of 6 servers and about 50 users for a business. M$ says it's my fault for not deploying their patches fast enough it was out since blah....blah...blah... Ok fine M$ in a work a day world I cannot re-boot all my servers at 8:00 AM or what ever I become aware and installed the patch on the servers let alone the 50 users workstations the patch needs to be deployed upon. Business is about time, billable time as with an ISP. As an ISP offer the tools Firewalls, Virus scanners and make their install if you want the connect must be installed by default. As an ISP you must then not give to M$ but demand payment for the cost of deploying all their patches to your clients of their swiss cheese O$.
Blocking an EXE is not an answer it begs to ask why as an ISP must we do this thing, why is a product marketed like M$ and the WEB as safe then truth in Advertising says not to misslead people yet M$ and Bill are perhaps the best Marketers of false claims? OOPS (Object Orientiated Programing S*!..stuff)
But M$ what you get is not whats sold, Business people have had enough as should an ISP!
OOPS just venting!
Peace