Re: Email sanitizing - requesting advice

[Dan Brosemer <odin@cleannorth.org>]

On Thu, May 24, 2001 at 10:21:54AM -0400, Kathie Brosemer wrote:
> I like your suggestion of a combination of approaches to the problem.  I
> could add virus ed 101 to the general orientation we give new employees
> and volunteers at the office, which is already quite extensive with the
> procedures for phone, the website, etc.

Sounds good to me.  Thanks.

> What I would need is a set of generally-accepted principles, e.g. "Don't
> open any .exe files unless you are certain of whom they came from and
> what they contain,"  or alternatively "Never open a .exe file before
> checking with technical support or running XYZ virus scanning software
> on it ..." or whatever.

Now, _that_ is the hard part.  Just for demonstration purposes, here is a
partial list of files that are potentially dangerous (that I wouldn't expect
any user to memorize)

exe,com,cmd,bat,pif,scr,sct,lnk,dll,ocx,doc,dot,xls,xlw,xlt,ppt,pot,rtf,
vbs,vbe,vb,hta,pl,pm,shb,shs,hlp,chm,eml,wsc,wsf,wsh,ade,adp,jse,js,mda,
mdb,mde,mdw,msi,msp,reg,asd,cil,pps,asx,wms,wmz,wmd,tcl

... and I'm sure I'm missing a few.  No administrator in their right mind
will expect their users to remember all that, and, though no-one has
recently accused me of being in my right mind, I'll have to follow-suit
here.

Perhaps a good rule would be:
  "If it isn't important to your work, no matter how safe you think it is,
don't open an attachment."
(subject to improvement)

But that doesn't _really_ solve the problem I was asking about.  See, I'm
already defanging that stuff for @cleannorth.org addresses.  (I don't want
to _solely_ rely on that, but it's a good start, anyway.)  I can't, however,
defang this junk if it comes in over web-mail.

More importantly, I can't defang the most serious problem with web-mail:
.html files... why?  Because your web-mail would cease to work if I tried.

See Dave's link in
http://lists.cleannorth.org/archive/techies/2001-05/msg00023.html for why
html files are a problem in web mail.

We don't have the computing power to filter out <LAYER> tags (well,
wedge is capable, but wedge is a client, not a server), and even if we
had the power, we wouldn't want to filter out <DIV> tags because <DIV>
has quite legitimate (and worthwhile uses).

But no ammount of user education will curb the risks described there.

And, the thing is, MS isn't about to start defanging <DIV> tags out of HTML
mail sent to their subscribers.  Why?  Outlook puts <DIV> tags all over the
place in the mail it creates.  Those tags are benign, but MS is unlikely to
break their own software just to fix a major security flaw.  (or am I just
being pessimistic?  They've refused three times to correct the issue when
contacted by three separate security groups).

> With a list of such principles, updated regularly, I would take on the
> education side.  As you know, I cannot generate that list (I was the one
> who ran brain.exe from this system two months ago, remember?).  :)

And that's the reason we have virus scanning software now.  This is good.
Every now and then, I need to be startled into realizing what the users are
capable of. :)

I think a good start is my little rule above.  I'd add to it:

If you must use web-based email, please use a service that takes security at
least as seriously as we do.  Currently, only HushMail
(http://www.hushmail.com/) and Mail.com (http://www.mail.com/) fit that
bill.  This is not enforced technically only because to do so would cause
more harm than good in the eyes of the system administrators.  If our
systems come into harm even once due to use of web-mail clients, blocking 
rules will be in place until a better solution can be found.  (That solution
may only come when Microsoft, Yahoo, et. al. decide to start protecting
their customers from active HTML attacks in email).

And now that everyone at the office has "loginname@cleannorth.org", and new
accounts will be created with netscape _already_ set up to work with this,
I'm sure we could survive if a "love bug of web-based email" were to go
rampant.

Are we happy with that?

-Dan

-- 
"There are two limits that this standard places on the number of
characters in a line. Each line of characters MUST be no more than
998 characters, and SHOULD be no more than 78 characters, excluding
the CRLF."       -- rfc2822 - Internet Message Format