[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[NAFEX] Repost of List Update (no HTML this time!)
Boy is my face red! I thought I had my email program set for text
only, but my last upgrade to Pegasus email included some HTML and
rich text formatting features that I over looked.
Greg
------------------------REPOST-----------------------
On 28 Apr 2002 at 20:24, DerryWalsh wrote:
> Aren't we going to have a major problem with viruses if attachments >
> are allowed? I'm being swamped right now with W32/Klez.gen coming from
> another list that allows attachments.
Derry beat me to the punch of the emphasis for today's update:
ATTACHMENTS!
This list forwards all attachments, good and bad. It is totally up
to the users POSTING messages to control their temption to add
INTENTIONAL attachments (.doc .pdf .gif .jpeg .html files). It is up
to the users RECEIVING messages to guard against UNINTENDED malicious
attachments. Some might be tempted (now or in the future) to curse
this new list for not stripping attachments, but good defense is a
good idea whether or not you belong to lists that forward messages,
since you probably get email from "regular" people that have the
capability to send email attachments. Here's what I have written for
the FAQ regarding attachments:
*****************From FAQ***************
ATTACHMENTS: Be aware that this list forwards ALL ATTACHMENTS.
Besides the annoying (LONG) attachments, this can include malicious
attachments like viruses, worms, and their ilk. Since many email
programs can be configured to AUTOMATICALLY open attachments, you may
wish to disable this option. Manually opening attachments takes your
cooperation but achieves the same effect. Similar considerations can
apply to MIME and HTML formatting. (The default on this list is NO
MIME.)
Check for security updates to your email program, and consider
running a good anti-virus program with a CURRENT library of viral
signatures. Most programs provide free updates of current viral data
files. Even nice people get viruses, which frequently hijack the
owners email to forward themselves to the user's email address books.
Receiving email puts you at risk for receiving viruses. Educate
yourself and take appropriate steps to protect yourself. One source
of good information is
http://www.microsoft.com/security/articles/steps_default.asp
**********************End Excerpt********************
Most people starting to use a computer plug the computer in, connect
and learn as they go. Many programs are default configured to
automatically perform tasks (like open attachments, get HTML links,
handle MIME in a certain way). The price for ease of use is less
security, and virus authors have figured out how to exploit most
program flaws. So what constitutes a good defense? (Most of this
directed at Windows users, who carry a higher risk than Mac or UNIX,
and focuses on email.) Start at the microsoft site in the last line
of the FAQ excerpt.
A general summary of a good start (links to other web sites with a
good SUMMARY are invited): Backup, update, use smart settings, run a
firewall and antivirus, and be suspicious.
1. BACKUP your data. Often said, infrequently done. I've found
myself missing backups *several* times--slow learner, I guess. Most
critical is to back up DATA files (documents, spreadsheets,
financial, passwords, email, homepage, etc.) are most important.
Although inconvenient, program files can always be reinstalled.
(Alternatively, reentering transactions from the last 6 years reallys
sucks! Haven't had do that.) I prefer a read-only SCHEDULED backup
like a CD burner. Hard drives can and do fail, and viruses can
potentially alter any rewritable source. With a CDwriter you do have
to insert a blank CD. I do this each week during "Nova".
2. Most viruses are transmitted via the Internet these days, so that
is the obvious first line of defense. Make sure your email and
browser programs are UPDATED with security patches. This is
especially true for Outlook and MS Explorer which have proven to be
"target rich" by virtue of a broad user base and security holes. Look
under Help -> About to find out your current version, then go to
www.microsoft.com and search for patches. Disable settings like
opening attachments automatically. There are some instances where
HTML (real links as opposed to MHTML which is safer) can also
compromise your security. See the link below for MIME problems,
which is exploit by Klez that Derry mentioned. I don't use Outlook,
so I can't comment specifically. Also important is to run a good
FIREWALL. There are several, but I like ZoneAlarm (free and Pro
versions) at www.zonelabs.com.
3. Run a good antivirus. Just as important is to keep the antivirus
updated, since your program can't recognize a new virus that is not
in its database. Most software companies offer free updates (can be
scheduled automatically).
4. Be suspicious. Some security compromises are due to human
factors (confidence games.) Anything unsolicited should be suspect
(here's the free virus patch, and ignore your virus program's
warning). Don't give out any personal information, including
passwords, if the contact was initiated by someone other than you!
(I'm from the credit card
company. Your card has what appears to be some unauthorized charges.
Can you confirm
your SS# and date of birth? **Guaranteed to be bogus.**) This
applies to email contact
This just scratches the surface, but is already too long and
marginally on topic. I thought I'd
post it since users of this list should be aware of the potential
problem.
Greg Miller
Links of interest
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/bulletin/MS01-020.asp
Even MHTML may have security weaknesses if patches not installed
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q261253
_______________________________________________
nafex mailing list
nafex@lists.ibiblio.org
Most questions can be answered here:
http://lists.ibiblio.org/mailman/listinfo/nafex
File attachments are accepted by this list; please do not send binary files, plain text ONLY!
Message archives are here:
http://lists.ibiblio.org/pipermail/nafex
To view your user options go to:
http://lists.ibiblio.org/mailman/options/nafex/XXXX@XXXX (where XXXX@XXXX is
YOUR email address)
NAFEX web site: http://www.nafex.org/