Last Updated 05/31/05 4:57 p.m. CDT
New e-mail virus variants have been using .zip attachments to
propogate before our anti-virus vendor has developed and
distributed the detection "signature" in the daily updates (DAT
files).
When such a new virus is detected ITS will temporarily drop all
incoming e-mail with a ".zip" attachment. No notice is sent when
the e-mail is dropped. This is done to slow down the spread of the
new virus until the anti-virus e-mail scanners can be updated. This
action affects incoming e-mail to all NDSU and NDUS sites hosted by
ITS.
Service has been returned to normal. Now only e-mail with .zip which are password protected are being dropped.
Be very cautious when you receive e-mail with an attachment.
If you receive e-mail with an attachment (especially a "zipped" file), before opening or extracting it, call or send a separate e-mail message to the sender asking whether he or she personally sent you that file or not. Since most modern worms forge e-mail addresses from infected machines (faked sender) you'll be able to ask about the file and determine the legitimacy. If the e-mail is not legitimate or you cannot verify it, discard it.
You can also help by avoiding sending e-mail attachments at all. Consider making files available via the Web or, for a work group, in a secure shared network file folder.
If you must receive zip files please have the sender rename the file before it is attached to the e-mail. For example, if the sender has a file called "norms.zip" it could be renamed to "norms.files", attached to e-mail, and sent to you. The new file name extension ("files" in this case) should be something we do not block on the scanner. Using a file extension of 5 or more characters should help avoid a blocked file type. When you receive the e-mail you would save the attachment to disk with the name "norms.zip" or save it and then rename it to "norms.zip". Some programs like WinZip may actually be able to open the archive as norms.files without even needing to rename it.
Last Updated 01/10/05 12:30 p.m. CST
The "MailScanner" system used to scan e-mail for viruses and dangerous attachments will be updated. There are two changes of interest in this update
1. The new version of the software attempts to detect potential "phishing" attacks. It does this by checking to see that the Web address (URL or link) in the e-mail matches the "real" address you will go to if you click it. Phishers often provide a valid looking address such as mybank.com but when you click it the browser really goes to a "bad" web site which attempts to trick you into providing personal data.
For example, if the fraudulent HTML e-mail said:
Please enter your personal financial information at
mybank.com
but the actual URL was something like "http://192.168.1.1/" then
MailScanner would INSERT a warning in red text for the link:
Please enter your personal financial information at MailScanner has detected a possible fraud attempt from "192.168.1.1" claiming to be mybank.com
This does add some "load" to our server but we want to turn it on to see if it helps eliminate some of the many phishing attacks.
2. Some additional file types of attachments are being added to the list which will be blocked (see section below). Most of these new types are from a list that Microsoft recommends are blocked as being dangerous. The added entries are .cer, .its, .job, .mau, .mda, .mdz, .prf, .pst, .tmp, .vsmacros, .vss, .vst, .vsw, .ws.
The change was implemented on Monday, January 10, 2005.
To try to eliminate obvious "phishing" attacks which can lead to identity theft or fraud. We also want to tailor the list of dangerous attachment types to keep up with current best practices.
There is a remote possibility that valid e-mail may be misidentified as a "phishing" e-mail. Be on the lookout for e-mail with the warning inserted. If you think the link was misidentified please let the ITS Help Desk know (see contact information below).
Also, this change will probably not eliminate all phishing attempts. Please continue to be vigilant for suspicious or unexpected e-mail. Banks and other institutions will not send you unsolicited e-mail asking you to enter information they already have!
See the sections below for more hints and tips on handling attachments.
If you have questions or comments please contact the ITS Help Desk at 231-8685 (Option 1) or via e-mail at NDSU.Helpdesk@NDSU.EDU .
Visit http://www.ndsu.edu/its/security for hints and tips.
Last Updated 03/09/04 1:03 p.m. CST
E-mail with ".zip" attachments which are password protected
(encrypted) will be discarded by the e-mail scanner with no notice
to either the sender or recipient. Normal unencrypted
.zip attachments are not affected by this change.
".zip" files are compressed collections of one or
more files created by Windows XP or programs such as WinZip. Using
zip files can greatly reduce the amount of storage required by the
original file(s) and can "bundle" a large number of files into one
file.
The change was implemented at 11:40 a.m. on Tuesday, March 9, 2004
E-mail worms have started to use password protected ".zip" file
attachments as a way to avoid the e-mail anti-virus scanner. Since
the password protected files are encrypted and the e-mail scanner
does NOT have the password, they cannot be scanned for worms or
viruses. Many of these infected e-mail messages, especially with
"Bagle" worms, have been delivered to clients because they could
not be identified by the e-mail anti-virus scanner.
A new release of the e-mail scanning software we use now allows us
to discard e-mail which avoided anti-virus scanning because it
contained password protected ".zip" attachments. Note that at this
time we will NOT discard the e-mail if it contains a normal ".zip"
attachment which does not have a password (i.e.. is unencrypted).
These unencrypted ".zip" attachments will be scanned by the
anti-virus software.
E-mail sent TO any of the following hosts will be affected
including e-mail to NDSU e-mail clients and webmail
users:
BSC.NODAK.EDU (e.g. Pat.Smith@BSC.NODAK.EDU )
DSU.NODAK.EDU
GWMAIL.NODAK.EDU (GroupWise at NDSU)
LISTSERV.NODAK.EDU (including e-mail to any hosted lists)
LRSC.NODAK.EDU
NDSCS.NODAK.EDU
NDSU.NODAK.EDU (e.g. Pat.Jones@NDSU.NODAK.EDU )
NDUS.NODAK.EDU
WSC.NODAK.EDU
Be very cautious when you receive e-mail with an attachment.
If you receive e-mail with an attachment (especially a "zipped"
file), before opening or extracting it, call or send a separate
e-mail message to the senders asking whether
they personally sent you that file or not. Since most modern worms
forge e-mail addresses from infected machines (faked sender) you'll
be able to ask about the file and determine the legitimacy. If the
e-mail is not legitimate discard it.
You can also help by avoiding sending e-mail attachments at all.
Consider making files available via the Web or, for a work group,
in a secure shared network file folder.
If you must receive password protected zip
files please have the sender rename the file before it is
attached to the e-mail. For example, if the sender has a file
called "norms.zip" it could be renamed to "norms.files", attached
to e-mail, and sent to you. The new file name extension ("files" in
this case) should be something we do not block on
the scanner. Using a file extension of 5 or more characters should
work. When you receive the e-mail you would save the attachment to
disk and name it "norms.zip" or save it and then rename it to
"norms.zip". Some programs like WinZip may actually be able to open
the archive as norms.files without even needing to rename
it.
If you have questions or comments please contact the ITS Help Desk at 231-8685 (Option 1) or via e-mail at NDSU.Helpdesk@NDSU.EDU
Visit http://www.ndsu.edu/its/security/ for hints and tips.
Last Updated 03/05/04 11:41 a.m. CST
E-mail attachments that have filenames ending with ".com" or ".exe" will be dropped.
The e-mail scanner system scans every e-mail in two steps:
This change will add filenames ending with ".com" and ".exe" to the list of "dangerous" file types to drop. If e-mail is detected with these attachments the e-mail will be discarded without notice.
Please note that this does not affect e-mail addresses ending in ".com". For example, e-mail from yahoo.com will still be accepted as long as it passes the other checks. There has been some confusion since ".com" is used as part of an e-mail address as well as a file name extension (fie type). The new action is only based on the attachment file type, not
The change was implemented on the afternoon of 3/04/04.
The change affects anyone sending e-mail to the following hosts with attachments which have filenames ending in ".exe" and ".com":
BSC.NODAK.EDU (e.g. Pat.Smith@BSC.NODAK.EDU)
DSU.NODAK.EDU
GWMAIL.NODAK.EDU (GroupWise at NDSU)
LISTSERV.NODAK.EDU (including e-mail to any hosted e-mail
lists)
LRSC.NODAK.EDU
NDSCS.NODAK.EDU
NDSU.NODAK.EDU (e.g. Pat.Jones@NDSU.NODAK.EDU)
NDUS.NODAK.EDU
WSC.NODAK.EDU
and a few other specialized e-mail systems.
E-mail borne worms and viruses can be detected IF they are "known" to the anti-virus scanning software. However, any new worm or virus can propagate very quickly before the anti-virus software vendors have a chance to update the detectors. Dangerous attachments which are executable on Windows can cause great damage and send out thousands of copies of the worm or virus in just minutes. For example, in the Mydoom.a outbreak on January 26, 2004, over 130 campus computers were infected. Mydoom.a used ".exe" as well as other file types (some of which we already block). Many of the PCs infected received the worm before the mail scanner could be updated.
Please note that this action will not stop all unknown viruses. Mydoom, Bagle, and many other current worms and viruses use ".zip" files which we are still not blocking. Recipients of ".zip" files must be especially careful not to get infected. For more information on the dangers of .zip file see http://its.ndsu.nodak.edu/security/zapped.html (note, this link is broken).
The ".exe" and ".com" are especially dangerous because they are "executable". If the recipient does not realize they are malicious it takes very little to trigger them. While this change will not prevent all future worms, it removes a commonly used "one click" path for the worms and viruses to follow.
Be very very suspicious of every e-mail you receive which contains attached files. You need to know that other permitted e-mail file types such as ".zip" files may still contain very dangerous programs which may evade detection by the e-mail scanners because they are new or because they are password protected. You are the last line of defense.
E-mail is especially "exploitable" because it is easy to forge the identity of the sender. Some worms are now password protecting the attachments which may prevent anti-virus checking by the mail scanner. Never open an attachment, especially a .zip file, without verifying that it is valid through some other means (e.g. a phone call or a separate e-mail exchange with the sender). It is also important to keep anti-virus definitions on your PC updated at least daily and to stay current with system patches.
If you are distributing files of any type, you should consider methods such as posting the files on a web site and sending the recipients the URL. This not only avoids "attachment ambiguity" but also makes the e-mail much smaller. If you must send a "banned" file type via e-mail you can rename it with a different file extension (e.g. "gadget.exe" might be renamed to "gadget.program") and let the recipient know that it needs to be saved and renamed before it can be run. Another approach would be to compress the file (e.g. into a ".zip" file). However, even though ".zip" files are permitted on our mail scanners at the moment, many worms and viruses use them and many sites have blocked them so you still might want to rename the zip to something else (e.g. gadget.files) and send a separate message to the recipient on how to unzip it.
If you have questions or comments please contact the ITS Help Desk at 231-8685 (Option 1) or via e-mail at NDSU.Helpdesk@NDSU.EDU
Visit http://www.ndsu.edu/its/security/ for hints and tips.
Last Updated 05/31/05 09:48 a.m. CDT
The e-mail scanner system scans every incoming e-mail in two
steps:
The following file types or file name extensions, when found on
an e-mail attachment, cause the e-mail to be discarded (step 2
above). Please note that the decision is made only the the
attachment file name extension, not on other parts of the e-mail
such as e-mail addresses. For example, ".com" is considered
dangerous as a file type but it is fine as part of an e-mail
address such as info@xyzcorp.com.
* Note: These types were added on 01/10/05. See above
announcement. The .cer type was removed from this list
04/28/2005.
Although the list may change from time to time, at present e-mail sent to any of the following e-mail host names will be scanned using the NDUS e-mail scanner:
BSC.NODAK.EDU (e.g. Pat.Smith@BSC.NODAK.EDU )
DSU.NODAK.EDU
All GroupWise users at NDSU
LISTSERV.NODAK.EDU (including e-mail to any hosted lists)
LRSC.NODAK.EDU
NDSCS.NODAK.EDU
NDSU.EDU/NDSU.NODAK.EDU (e.g. Pat.Jones@NDSU.EDU )
NDUS.NODAK.EDU
NODAK.EDU
WSC.NODAK.EDU
If you have questions or comments please contact the ITS Help
Desk at 231-8685 (Option 1) or via e-mail at NDSU.Helpdesk@NDSU.EDU
.
Visit http://www.ndsu.edu/its/security for hints and tips.