hotmail password request tool (intranet usage)

We do not delete ZIP attachments (or -ever- alter message bodies) but it is relatively trivial to detect the real file type of an attachment, even if it is maliciously renamed to conceal it.

Email attachments are encoded using Base-64, which is deterministic -- so the "magic numbers" at the beginning of a binary data file will always come out to a given pattern of Base-64 encoding. Thus, a simple regular-expression matcher (as is built in to the Postfix MTA and many others) will suffice to detect and reject messages with attachments of a given type, even renamed.

It was in response to anti-virus software that can scan into ZIP files that some email viruses started sending themselves as passworded files. They'd include the password in the message body and instruct the user to open the attachment using it. Nobody should be surprised that this worked -- indeed, telling the user that the attached document is so important that it had to be passworded is a good bit of social engineering.

I personally consider it bad practice for a mail server to alter the contents of a message, as by deleting an attachment. Doing so creates the (correct!) impression that "the computer people are fooling with my email" and damages users' trust. It also fails to inform the *sender* that the message was not transmitted successfully -- and the SMTP language has no way to express 'partial delivery'.

What's more, it's not terribly effective at reducing the fuss and bother associated with viruses. Email viruses do not attach themselves to 'real' messages -- they send messages of their own, which serve no purpose but to pass the virus. Stripping the attachment off such a message and delivering it tells the user, "I know this message was junk meant to harm you. I killed it. Here, have its corpse!" Except to the sort of user who *likes* it when the cat delivers dead birds and mice, this is silly behavior. Users have enough clutter in their mailboxes without the corpses of viruses added to the mix.

When a message comes in that the security rules say must not be delivered, the sensible thing for the mail server to do is to simply reject it. SMTP rejection means the recipient's mail server doesn't even accept the message for delivery -- it says "no, thank you" and leaves it up to the sender's mail server to report the failure. In the case of a virus, the sender usually just goes away and harasses someone else. In the case of real mail erroneously intercepted, the rejection can come with an informative error message ("Sorry, we don't allow ZIP files in email. Please use a file transfer protocol when you want to transfer files!") that the sender will then receive and can handle appropriately.

Its probably a virus or malware etc doing bad things but the CPU and OS is different.

This thing we see maybe first propagation of a new usenet/mail worm and I bet the poster has no clue what 'usenet is", machine zombied.

Come on, nobody can be _that_ stupid lol.

Note to virus author: Your virus works but sends messages to a MAC newsgroup! :P

Ilgaz Ocal

W32.Goldun.M virus, Intego virus barrier reports.

I saved a lots of people from checking the file I bet ;)

Yay, so I have a anti virus in fact :P

Ilgaz

And posted via groups.google.com , definitely reporting to google. Very interesting! Google got no NNTP access yes?

Ilgaz

Why would you assume that anyone would make a AV software that can't scan inside Zip's? Our virus detection software will scan 15 levels deep in a Zip file (and we can set it for more).

Why not put a passworded zip into a scannable zip?

André

How about the admins doing their job instead of deleting stuff in users' email? Like choosing a secure OS in the first place that runs the productivity apps the user needs, or running a solid backup-policy (when a stupid user fries his directory, boss screams at him for a while, but data can be restored), or running stuff in a sandbox (well, on Windows that probably means that you ONLY fry your own directory).

Perhaps the admin could square the circle as an encore. Much, even most, of the time, the apps that the users and management insist on runs *only* on Windows.

Fine. *You* can be in charge of running the daily restores, while the boss yells at you for the downtime, and the user yells at you for the lost work that was done since the last backup. You let this crap through and you will spend all day restoring one user after another.

And how, exactly, are you going to get your apps to run, considering that all of them require admin access to run at all?

Do you have any *practical* alternatives?

Not only that, but if the system can't determine WHAT TYPE of file it is, it will reject it.

Then the usual user will not be able to open the zipfile when it has a zpp-extension and not be able to click the file inside "naked_woman.exe" which actually is a virus.

Deleting executable attachemnts and unscannable zips from the mail is done in most of the companies I sysadmin. Some Users still click on everything that has a icon and a promising name. MS-click-me-advertising has done some braindamager to the weaker minded.

best, peter

Then pick BSD. Anyway, with a Firewall I doubt that Linux can really be infected. Updates are usually painless too.

Blocking infected attachments is relatively ok, unless you are company that has an interest in sending viruses per mail (like an AV company).

Just deleting all zips (or encrypted ones) is bloody stupid though.

From this thread I gathered that the problem seems to be not the security (stuff sent with email is just passive files!), but rather the dumb user that has to push the button on every bomb he finds.

A defective one. (Hint: look up the term "false positive")

Submit that extracted file to virustotal.com and they'll try a bunch of current AVs against it. No virus reported.

WTH do you run an antivirus on your Mac??

I've heard that in some cases they even do harm (was it Norton?), and they definitely don't do any good. Where should you get a Mac virus from (except by running a script that wipes your home directory...)?

My Mac stays clean :)

That was really lame. While I run both Linux and Windows workstations I still see threats for Linux and Windows, neither OS is secure, it's all in knowing how to lock each down.

Installing av software and or a firewall policy that blocks malicious attachments from gaining access to company resources is part of an admins job, at least in every government, commercial and private company I've worked for or designed the networks for.

I've been running many platforms since the 70's and never experienced a virus or compromised system on any network I've managed or designed, including Windows based networks/systems, so it would seem that security is not really an issue for the Windows platforms, it's more a problem when you have ignorant administrators or ones that pretend to know about security.

Why BSD, by Windows XP and 2000/2003 servers are secure, I don't need to move from RH FC3 or 2000/2003 servers to maintain a secure platform.

Actually, many home users and open-relays spread viruses, not to mention the compromised machines that spam hundreds of infected emails per minute to random hosts.

Deleting any Zip file that is unscannable is a very good method. If you need to move data between secure locations, using a Zip file is a sloppy means of doing it. I suppose you've not seen the passworded zip files where the lamer includes a note stating that the file has been passworded for their protection.....

If you need encryption for moving data, you cans setup a VPN or secure FTP server, those are better methods.

Actually, it's ANY user. I've seen CIO's bring in infected laptops, infected spread-sheets. I've seen companies allow contractors to connect to the protected network without first validating the contractors laptop. I've seen all sorts of bad things, and it makes it very hard to identify which user will be a ignorant one vs a good one.

In the early days, and on unpatched Linux and Windows (and OS/X) systems you could force execution without the user knowing about it my exploiting a service. You could also exploit weaknesses in browsers and email clients.

Strangely enough a certain large software company relevant to at least one of the ngs on this thread bans zip attachments in their email. Instead the SOP is to drop the file onto a central database masquerading as a file system, and then simply embed the link in the email rather than attach it. This SOP works well for a number of reasons.

Strange ... my up-to-date AVG freeware anti-virus didn't detect any virus in the rar file. What anti-virus software do you use ?

Matthias

Its a mac antivirus, Intego Virusbarrier for OS X. Interesting really.

But don't expect anything good from stuff like that (password crack)

Ilgaz

McAfee doesn't detect anything either.

George