RE: 7. Best Current Practices - Attachments (was Re: [Asrg] [RENAMED] Dangerous Attachments from Email Path Verification (has hcash benchmarks))

["Sauer, Damon" <Damon.Sauer@bellsouth.com>]

Thank you for correcting me Yakov, I knew you would ;-)

 We do not allow certain content that will make HTML dangerous such as
"open.window" and "<object data=" among a few others. I scour the (certain
unnamed) developer site and look for "enabling" html as I call it. This is
blocked before it can be exploited. 
 While I understand how it can be used successfully in an intranet, because
the client in question uses the same rendering engine for email as it does
its web browser, you can put anything in an email that you can put on a
webpage.

<rant>
 I have repeatedly asked the "Evil Empire" to add another security option
that would turn these "enabled" html commands off specifically in an email,
not the browser. To date... "        " has been the answer. So much for all
the press about how they are going to stop spam and viruses.
</rant>

 This brings me to another point... I appreciate the segway from myself.

 Too often places like news organizations, banks, and others that have a
slew of content developers are making it easier for virus writers to find
exploits. They do this by including in their content-rich email the latest
whizz-bang code, without thought as to who might not approve of it. For
instance, we started blocking CN^2 due to their developer putting in what we
considered "enabling" html. I got a phone call saying that we were now
blocking all of this news content. This is one that I would not back down
on. They changed their code.

<wishful thinking>
 Email is turning into a feature-rich FTP client.
 What is the problem with just going back to plain text and putting all the
fancy stuff in the attachment?
</wishful thinking>

Note to self: Block all <wishful thinking>

Regards,
Damon Sauer

-----Original Message-----
From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org] On Behalf Of Yakov
Shafranovich
Sent: Monday, September 15, 2003 1:45 PM
To: Sauer, Damon
Cc: 'Eric S. Johansson'; Jonathan Morton; Brad Knowles; asrg@ietf.org
Subject: 7. Best Current Practices - Attachments (was Re: [Asrg] [RENAMED]
Dangerous Attachments from Email Path Verification (has hcash benchmarks))


First of all, please keep in mind the posting guidelines at 
(http://www.irtf.org/asrg/asrg_mailing_list_information.htm). I changed 
the subject since it belongs in the BCP area.

Second, take a look at the archive - we had a similar discussion a while 
back with Gordon Peterson about blocking HTML and attachements.

Third, what about HTML content that executes in the preview pane of a 
certain UNNAMED email client?

Yakov

Sauer, Damon wrote:

>  Our mail systems do not allow 36 directly executable attachment types 
> and it has not hindered our business one flea speck. We have not been 
> infected by a single email virus since Melissa that can be traced back 
> through our email gateways.
> 
>  The magic words that were used was "directly executable", to me 
> meaning that there is no user action that has to take place for the 
> code to be executed.
> 
> <rant>
> I remember the good ol' days when I could say with my head held high, 
> "No, just opening an email message will not give you a virus- it is 
> just text." Thanks to the "Evil Empire", creator of non-RFC compliant, 
> buggy, unsecured,
> U-do-it-like-we-tell-U2- lookOut or express lookOut. I have to hang my
head
> low and nod, when some poor client has his preview pane on and gets
infected
> with the latest hourly exploit. Want to blame someone?
> </rant>
> 
>  We therefore do not allow any directly executable code without it 
> being zipped, gzipped, tar's, stuffed, extension renamed, or any other 
> action that will "safe" it and not allow it to run unopposed.
> 
>  As long as a sender knows this, there is no issue with doing a little 
> prep work before sending. Not only that, it is less expensive to the 
> mailing systems.
> 
> Regards,
> Damon Sauer 
> 
> 
> 
> -----Original Message-----
> From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org]On Behalf Of 
> Eric S. Johansson
> Sent: Monday, September 15, 2003 8:33 AM
> To: Jonathan Morton
> Cc: Brad Knowles; asrg@ietf.org
> Subject: Re: [Asrg] 6. Email Path Verification (hashcash benchmarks)
> 
> 
> Jonathan Morton explained:
> 
> 
>>I did the same with SpamAssassin when Sobig.F started hitting me with
>>hundreds per day (bounces and infections alike).  I manually set the 
>>MICROSOFT_EXECUTABLE score to 10.0 (the default score is only 0.3) and 
>>set up Procmail to dump messages above 8.0.  I'm pretty sure that dealt 
>>with over 99% of the problem.
>>
>>I personally think that nearly all ISPs, especially those with a large
>>proportion of newbies, should delete directly-executable attachments 
>>without question.
> 
> 
> while there is an autocratic part of me that agrees most heavily with 
> what you say, I also fear the hubris inherent in the situation.  This 
> is what I think in
> isolation place or spamtrap equivalent is what is called for.  That way
the
> user 
> can determine whether or not they really want that piece of e-mail.  On
the 
> gripping hand however I have rarely received an executable by e-mail from
> anyone 
> except someone I have had long conversations with (i.e. OEM technical
> support)
> 
> the nice thing about a spamtrap (at least the way I have
> designed/implemented)
> is that I can get an audit trail of messages and who approved them.  So in
> the 
> case of a virus, you can know which employee is a FWM and started the
> infection 
> process.
> 
> ---eric
> 
> 
> *****
> "The information transmitted is intended only for the person or entity 
> to which it is addressed and may contain confidential, proprietary, 
> and/or privileged material.  Any review, retransmission, dissemination 
> or other use of, or taking of any action in reliance upon, this 
> information by persons or entities other than the intended recipient 
> is prohibited.  If you received this in error, please contact the 
> sender and delete the material from all computers."
> 
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
> 


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg


*****
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material.  Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.  If you received
this in error, please contact the sender and delete the material from all
computers."

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg