Dave Howe wrote:
Crist Clark wrote:
Unless your AV software has a clue, like most do, and unzips archives and see what's inside. which is ideal for virus scanning, but not for blanket-blocking of email. A zipped archive containing an executable cannot (unless something has changed that I don't know about) be automatically opened by any mail client - the user must make a deliberate attempt to open the archive then exectute the attachment (although the actual extraction can be performed automatically by many decompression utilities if you double-click an executable or document inside its browser)
Automatic opening by Outlook and Outlook Express (I'm not aware of any other MUAs that have actually had worms in the wild that do this) has actually only been used by a few worms. As I mentioned in the original mail, this is how Mimail from a week or two ago spread. An *.htm (not even "executable," whatever that means on Windows anymore) was inside of a zip.
there is of course no allowing for the stupidity of users - but if you have a stupid enough user you could induce him to bypass any protection anyhow.
AFAIK, the present scurge of the net, Sobig.F, requires the reader to "click on it." It's not one of those that takes advantage of Outlook or IE bugs to auto-execute. Most moron^H^H^H^H^Husers do so out of curiousity. We've been telling them not to do this for several years. They still do it. Face it, they are never going to stop doing it. I don't want the users to be able to "click-through" to execute the file, whether it is one or two steps. It's too easy for the curious. My goal is to have the ones who _really_ want to get a "forbidden" extension through the system need to actually *gasp* use the keyboard to rename the file! That means they have to save the mangled name to a file, rename it back, and then "run" it. Ju-ust that little bit of effort is enough to stop several nines of the curious. I remember wa-ay back in the Melissa days, before AV email gateways were widely used, implementing MIMEdefang which did these simple things. That was, and still is, enough to stop an awful lot of this junk. Similarly, if someone wants to zip some things up, mangle the zip extension, and the then send it on through, it's OK with me. That's enough to stop the curious. -- Crist J. Clark crist.clark@globalstar.com