[Mimedefang] Dealing with encrypted zip viruses
Kelson Vibber
kelson at speed.net
Tue May 4 16:39:18 EDT 2004
Here's the setup. We've been having trouble with some of the recent
Netsky/Bagle/whatever variants that send themselves as encrypted zip
files. Clamd detects it as "Encrypted.Zip" so it goes through our usual
quarantine/add-a-warning path rather than our discard-the-worthless-junk
path. Why? There could be legit uses for sending an encrypted zip file.
The problem is, people are getting messages like "[Virus Removed] Your
account has been disabled!" and calling in. One person seemed to get
confused, and apparently contacted Roaring Penguin first (instead of using
the contact address we provided).
Obviously, the quarantine-and-warn path isn't enough. On the other hand, I
don't want to discard legit mail. (We're an ISP, so we have to be as
flexible as possible.) While there are certainly more secure ways to send
a document, I can see someone zipping up a couple of spreadsheets, putting
a password on it, and sending it off. Then again, weigh the real deluge of
encrypted viruses against the possibility that someone might lose
something.... Of course if someone *does* lose a legit encrypted zip file,
Murphy's Law dictates it will be something important.
So I thought I'd ask: how are other people dealing with these? Do you ban
all encrypted zip files, do you quarantine, do you use other techniques?
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list