- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
There is another behavior that is not quite as automatic, but is even more dangerous. Novell GroupWise came up with the really bright idea of default opening by single click. As I recall, they had no standard option to change this behavior. That meant that by the time one of my users had highlighted an attachments icon, say to see the full filename, the file was open. This certainly created difficulty in recommending procedures for handling attachments, that were in doubt. I guess Novell gave themselves convenience points for saving the user the effort of a double-click, but confirmed my feeeling that Novell should die and go away.
Admin
Use yousendit.com or any of the plethora of similar services out there. Al Queda does.
Admin
This is what the content checker of my company sais:
Admin
Yeah I do that all the time as backup... It does tend to tie up the network though.. could that be because I'm sending 20 GB data every day?
(Americans, please note.. this is not true, I am only kidding.. You should not beleive it)
Admin
I hate attachment blocking, if someone is stupid enough to open viruses, why should they be not allowed to? It's natural selection.
Anyway, at my university, they had a really bright idea. The mail system blocks the email, but only informs the RECIPIENT about that. This is an example :
BANNED CONTENTS ALERT
Our content checker found banned names: loadSetup/setup.exe, ...
in an email to you from: [email protected]
According to the 'Received:' trace, the message originated at: [xxx.xxx.xxx.xxx]
Our internal reference code for this message is 09949-01. The message has been quarantined as: banned/20070413/002021-09949-01
Please contact your system administrator for details.
Needless to say, the message was urgent and important, from the manager at the company where I was going to do my project. And university helpdesk didn't even respond to my requests. So my way of making good first impression was asking the sender to do tricks with attachments, brilliant.
Another stupidity in blocking email attachments is the cheerful assumption that the sender speaks English. This way my grandma, AFAIK not being an automated mailbomber, will be classified as such. Brilliant^2
Why isn't there a per-mailbox setting that I don't want ANY attachments blocked?
Admin
Wow... I'd call this verbose discouragement of attachment usage to the average user...
Admin
you mean, like "gzip"? Oh wait, there's bzip ... no, sorry, I forgot: bzip2 has been out since 1996.
Yep, I think they could.
Admin
This is true now (XP/2003/Vista), to a certain extent. It didn't used to be true at all (Win95/98).
I just did a test on my XP SP2 box. I renamed an executable from .exe to .exo and then, at a command prompt, typed the filename (ftpserve.exo) and hit enter. Windows prompted me saying that certain functionality was being blocked, but the app started. The certain functionality was access to the internet (the app is an ftp server used internally).
Under earlier versions of Windows, the app would simply have run. I know this for a fact, because I once renamed Solitaire on every machine in a Customer Service Department and wrote a dummy wrapper app that asked for a password; if you supplied the proper password, it then launched Solitaire using the new name. I then gave the password to all but one of the users in Customer Service; the one user didn't get it because they were supposedly on my bad side (a joke).
Admin
Admin
You typed it where? If you typed it into a cmd window, maybe that's a feature of the command interpreter (since you can't type in anything directly that's not to be interpreted as a command - typing "foo.zip" on an actual zip file will just result in an error message) rather than the operating system. Though clearly a "Take anything no matter what it is and assume it's an executable" call must exist in the OS, and it may not be less WTFy in general than "Take anything and run it if the contents are executable else pass to handler app" as you assumed it was doing, it is at least less likely to be used by mail clients with the intent that the file gets passed to winzip (or whatever for other file types), since that won't happen even for real zip files
Admin
What may be happening in the referenced bugtraq link is that the ID3 tag in MP3 files is able to "contain just about any file you want to include" http://www.id3.org/ID3v2Easy, so the file is probably being opened as an mp3 based on its extension, and the mp3 player is delegating the tag metadata to other reader apps.
Admin
other options are;
Admin
Tried opening an .exe renamed to .exo both in WinXP SP1 by clicking and using Run... and got a big "Windows cannot open this file" dialog.
Admin
Speaking of WTFs, Just TRY to rename a zip archive under OSX 10.3 or 10.4 . Even with "show extenions" selected and all that, if you try to rename archive.zip to archive.foo , the Finder (or something in the OS) cheerfully helps you out by naming it archive.foo.zip . You have to use a Terminal session (bash to you OSX newbies :-) ) to make the change "stick"
Admin
For the same reason why we generally like to keep the feces out of the streets.
Sure, serious contagious diseases only affect people who are stupid enough to step in the sh*t, but when they get sick they take us all down with them--either by directly propagating the disease itself, or because they get too sick to do their day jobs running the utilities and supply systems that keep the rest of us alive and eating.
Admin
"Group accountability" is the real WTF.
Admin
The real WTF is that this isn't really yahoo or excite, it's a standard default error message ("cuteness" and all) in their SMTP software.
Captcha: "Welcome Home..."
Admin
No, recommending compression when the rejected file was a zip file is still a WTF.
Admin
And none of this means that actual code (binary code, that you'd find an exe file) will be executed from a file with a .zip extension in any context other than typing the filename as a command at the command prompt [which doesn't let you specify files as anything other than a command at the beginning of the line]
Admin
Yup. Long ago I found that one out the hard way. Dial-up in the third world, I finally got the megabyte .zip file uploaded and it rejected it because there was an .exe inside. Fortunately Hotmail doesn't reject those. Web e-mail accounts were the only way to do it--the dial-up didn't come with a mailbox or even an account in the traditional sense--it was run by the phone company and you were simply billed usage on your phone bill. Like a 976- but reasonably priced.
I do think that requiring executable stuff to be compressed is a good precaution, especially if you use something other than .zip. That means they must have a decompresser installed which sets them above the average user.
Admin
That depends on the audience, but I think for the typical user who might fall for this bit of social engineering, no. The hook I proposed implies a relatively unsophisticated sender - someone who figured out that password-protected zip archives are a side channel, but not that using a side channel to bypass security mechanisms (or encouraging the recipient to do so) might be a bad idea. I wouldn't expect such a person to practice good password hygiene as a matter of habit.
Also, remember that the password in this case is meant to be exposed - it's in the message in plaintext - so it needn't be difficult to guess. In fact, it makes more sense if it's something that's easy to read and type.
But we could try it both ways with, say, a thousand random victims, and see which is more successful...
Admin
The real WTF is that they're using qmail. Nobody in their right mind should use qmail on the internet today, with 99% of all email coming from forged senders.
Admin
or .7z (LZMA)?
Admin
Hotmail did this for over 6 months, only it was for ANY file type. It denied all attachments as virus infected. (Though still advertising unlimited attachments).
After a time I began to wonder maybe I really did have a virus in every single file on my computer (however improbable). So I tested from a few other computers - same result all attachments denied as virus infected.
I then tried several LiveCDs (Knoppix, QNX 6.3) to boot a number of machines and attach plain text files generated after the LiveCD boots... same result - all attachments denied as virus infected.
I gave up and switched to Lycos and never had a problem with them. I later switched to Gmail, but only after I was able to do so without an invitation. The underhanded social data mining of the invitations system under the guise of a "beta" offends me.
For all I know Hotmail may still advertise unlimited attachments and then deny all attachments claiming viruses... great way to save on upstream bandwidth!
Admin
What's even more likely is that it was merely a Windows Media Video. When the MP3 codec failed to read it, WMP would have analysed the file to determine what type of file it really was. Once it determined it was WMV, it would have read the WMF headers to determine the version abd launched the appropriate codec.
Admin
Admin
Admin
Scanners often operate after the SMTP session is closed - especially in the qmail world. This is because qmail is a totally "modularized" system, with several different executables doing different tasks on a "queue" of messages. They're probably using qmail-scanner to call clamav and Spamassassin to scan messages, while blocking certain attachments.
If you use magic-smtpd to replace qmail-smtpd you can implement invalid user rejection at the envelope level and never accept the message, and even drop message after a configurable number of "bad" recipients.
If you want to be really nasty, configure fail2ban to watch the qmail logs for "too many invalid recipeints" messages and then bang the sending IP into an IPTABLES blacklist.
I've done a few of these qmail servers...
Admin
Admin