How Your Peers Defend Against Viral Email Attachments
By Scott Pinzon, LiveSecurity Lead Editor, and Corey Nachreiner, Network Security Analyst
We asked. You answered. Well, 214 of you, anyway, and that was enough to pool some wisdom about stopping viruses.
Recently we asked, "How do you stop your end-users from clicking on unexpected e-mail attachments?" This issue feels urgent as we wilt under an endless onslaught of spam and e-mail-borne worms. By now, you'd think everyone would know that worm authors pack up their executables so they look like e-mail attachments, send them with e-mails that have enticing subject lines, and when the curious recipient opens the attachment, bomp bomp bommmm — infection! Yet, astoundingly, worm after worm after worm succeeds with this same strategy. Thus, if you can stop clueless users from opening those attachments, you are a long way ahead in defending your network.
So... how do you stop them? Here are tips from network administrators in the LiveSecurity Service community.
Do As I Say
The first half of our two-part question drew 214 responses, categorized like this:
Totaling the bottom three answers, 46 percent of users are not even trying to work securely. No surprise: that's how all those worms keep spreading while repeating the same boring technique.
Then came part two of our question. Responses fell into two camps:
You might relate to some of the humorous responses, pasted below verbatim. The question: If you've found a way to stop users from opening unexpected e-mail attachments, please share it with us! Lighter responses:
Offer to kick their A$$!
take away there e-mail
chop off their hands
Threaten them with a two by four.
...and our two particular favorites:
Electromagnetic shock via a USB port device
Those who do are shot and killed. This does two things: thins the herd and sends a message to the rest.
Do As I Do
Here are some of the more serious thoughts, with our analysis.
Your comment: "I tell them not to"
"I've taught my users to ignore icons, and pay attention to extensions. I've turned off 'hide extensions of known file types', so the *true* extension always comes through. I tell them to ignore all EXE, SCR, COM, BAT, DLL, etc files...."
Analysis: A fine approach as far as it goes, but the poll indicates how well users obey your orders. Almost half the people don't listen to you. Establishing a strong security policy is the right place to start, but having people actually follow it requires technological reinforcement. We admired this combination of policy and technology from one reader: "We make them sign an Acceptable Use Policy. If they violate policy we revoke their [e-mail] access or have their correspondence sent to a default mailbox, [then] we forward their information to their internal mailbox after it has been reviewed." Though somewhat labor intensive, that approach would work.
Your comment: "I have told everyone to not use the Preview Pane in Outlook Express. That way nothing loads until you double-click on the e-mail."
Analysis: This technique is particularly good at blocking virms (viruses and worms) that exploit the way Internet Explorer parses HTML (IE handles those duties for Outlook and Outlook Express). Some worms are written so that the malicious payload executes as soon as the HTML e-mail is rendered; for example, Bagle.Q. That means the worm doesn't require a user's double-click in order to run. If you use the Outlook Preview Pane, simply highlighting the e-mail is enough to cause infection (assuming you have installed the patch, provided in Microsoft Security Bulletin MS03-40). Lots of worms are immediately recognizable by their goofy subject line. Not using the Preview Pane enables a user to highlight such an e-mail and delete it, without risking infection. To turn off the Preview Pane in Outlook, simply choose View => Preview Pane.
Your comment: "In Outlook / Outlook Express check the 'don't allow attachments to be saved or opened' option under Security Tab."
Analysis: For organizations that have the right software and hardware, this can be an affordable way to add an extra layer of security. It lacks nuance, but it's inexpensive.
Outlook and Outlook Express handle e-mail attachment security slightly differently:
By default, Outlook classifies over 50 attachment types as untouchable Level 1. These include the executable file types virms typically use. Unfortunately, if Microsoft has classified a file type your users need as Level 1, the Outlook GUI provides no way to change it. However, you can use an Exchange Server policy to adjust it. If you're an Exchange administrator, you can customize levels (for example, drop a Level 1 file type to Level 2 or 3). If you use Outlook but not Exchange, you're stuck with Microsoft's settings unless you're willing to try registry hacks and third-party plugins. So, as we said: if you've already got Outlook and Exchange, the price of this technique is right; just don't expect fine-grained control.
Your comment: "Automatically rename high risk file attachment extensions to *.xex so that the user must save the file, rename the extension, and then open it."
Analysis: This great tip forces users to think before opening something. If you make your users rename an executable file to the correct extension name, they have a chance to think, "Do I really want to run this?" "Is it worth the effort?" "Am I expecting this?" Of course, if they do open the attachment, it still runs; but this technique also spotlights their accountability, since they have to actively work with the file to run it. We like the idea of this trick combined with appropriate wording in an Acceptable Use Policy.
Your comment: "Postini" "MessageLabs"
Analysis: These are examples of vendors who offer to intercept your e-mail on their servers, cleanse it, and forward to you only the good stuff. Such "in the cloud" e-mail filters can certainly be valuable. Even if you strip and discard bad attachments, your server still has to store all the neutered worm e-mail (not to mention the usual avalanche of spam). If a vendor filters outside your network, bad e-mail never reaches your server, saving you a lot of resources.
On the other hand, the accuracy of each vendor's stripping depends on what technology they use. False positives are a problem. If a legitimate e-mail is accidentally stopped, its intended recipient may never know. To use this approach effectively, you must look periodically at what the vendor is stripping and has recently stripped. We like "in the cloud" filtering, but recommend combining it with other layers of security such as attachment filtering and gateway antivirus.
Your comment: "Filtering inbound enclosure types in SMTP-proxy settings." "Block them at the firewall with SMTP filtering." "Strip out unauthorised attachments before they arrive in users mailboxes."
Analysis: This was the most common response, for which we thank you. If your WatchGuard firewall model has an SMTP proxy, definitely use it. Even the most rebellious end user can't open an attachment he never receives.
The problem of infected e-mail attachments finding clueless users has no one ultimate answer yet. But your responses prove that you're fighting the good fight, and resourceful admins still have countermeasures they can try. Thanks to everyone who responded.