Firewalls: Re: Mail Proxy

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Mail Proxy
From:	mdr @ vodka . sse . att . com
Date:	Tue, 3 Oct 1995 08:54:35 -0400 (EDT)
To:	long-morrow @ CS . YALE . EDU
Cc:	firewalls @ greatcircle . com
In-reply-to:	<199510021459 . KAA26661 @ SPARKY . CF . CS . YALE . EDU> from "long-morrow @ CS . YALE . EDU" at Oct 2, 95 10:59:08 am

We've gone around this circle at least once before.  Coming up to 
two conclusions.

1) it is *impossible* to prevent a determined individual from
transferring executables via email. (But you can slow them down)

2) The vast majority of such transfers *can* be prevented by an
automated program scanning for the most common forms of encoding.

Also, it is possible to virus scan the binaries that have been
detected.  However, general consensus is that such scanning is
ineffective because it only cover one channel of binaries to the PC,
(Floppy disks are another).  Virus scanning must be done at the PC.

However, I must admit that I'd be interested in a Word document macro
virus scanner :)   These "executable content" vira are an interesting
breed.

Mark Riggins
Secure Systems Engineering
AT&T Bell Labs

> 
> Chris Tyler <chris @
 dejong .
 com> wrote:
> >
> >Slava Kritov writes:
> >
> >> Any uuencode ?
> >> Sorry, as a sysadm of 500+ orgs can say, that people sometimes exchange
> >> word docs in uuencode, and ( for Mac's ) you can't even say its word doc 
> >> based on name ...
> >
> >Right... so? The purpose was to deny all attachments, whether word DOCs or executables. So 
> >you look for the uuencode signature string and deny.
> 
> But by only looking for the 'signature's of known binary encoding formats
> you then open yourself up for people to create their own encoding formats
> to get around your scan for, and restriction on encoded message enclosures.  
> 
> 3 possibilities for getting around a scan for known encoding signatures :
> 
> 1.	rot13 a uuencoded file before e-mailing it.  Describe in the message
> 	how to unrot13 the message before uudecoding it.
> 
> 2.	Use an (admittedly) inefficient format for encoding binary, such as:
> 
> 	RAVE AFRO STUB DAM HONE HAY
> 	CLAD WILL JOIN PET LONG WEED
> 	...
> 
> 	The recipient will need a decoder of course.
> 
> 3.	PGP encrypt the entire message before transmitting.  How will the
> 	mail scanner know what is inside the message?  Are you going to
> 	reject all encrypted messages?  I think that encrypted messages
> 	will increasingly become the norm on the Internet as PC based
> 	mail programs incorporate automatic easy-to-use PGP encryption.
> 
> 
> - Morrow
> 
>

Follow-Ups:

Re: Mail Proxy
From: pmc @ telepac . pt (Pedro de Melo Ribeiro da Cunha)

References:

Re: Mail Proxy
From: long-morrow @ CS . YALE . EDU

Indexed By Date	Previous:	re re nfs From: Donald . J . Smith @ . cdev . com (Donald J Smith)
Indexed By Date	Next:	Re: FW to FW FTP w/ no port > 1023 From: peter @ nmti . com (Peter da Silva)
Indexed By Thread	Previous:	Re: Mail Proxy From: long-morrow @ CS . YALE . EDU
Indexed By Thread	Next:	Re: Mail Proxy From: pmc @ telepac . pt (Pedro de Melo Ribeiro da Cunha)