Demanding your clients to change extensions from .zip to .txt for mail attachments

email anti-virus attachment

A company we are working with has a few ridiculous security measures. One of them goes like this:

  • You cannot e-mail us .zip files. If you want to transmit a .zip file, rename it to .txt.

IMHO, there is no good reason for this. I can only see two reasons to do such a thing:

  • Their employees are idiots and click on every zip file, and every .exe/.vbs/britney.jpg.com file in the zipfile. By only telling the smart people to use the rename-to-.txt files trick, the stupid people pose no threat. Actually, I like this explanation.
  • There is a known bug in the email software which auto-opens .zipfiles and gets infected. Renaming prevents the software to do this.

Other than that, when the .txt arrives, their user still has to re-rename it to .zip and then we are back to square 1: we have a potentially unsafe zipfile.

Am I missing something? Is there any reason why this could be a recommended practice?


Solution 1:

IMHO no, at least I can't think of any good reason. Actually, it doesn't increase security, but decreases it. They should implement a good virus scanner at the mail gateway (and on the client workstations) and with this, mostly eliminate the zip threat. After that, if they manage to educate their users that they shouldn't open files they didn't expect and, when in doubt, ask for confirmation from the sender, that's about all they can do without just removing all zip attachments at the gateway.

Solution 2:

Sounds like a company I worked for once. :(

Here's the thing we discovered when forced to that same bit of lunacy. Every one of the six antivirus scanners that checked incoming mail detected that they were zip files, regardless of what we named them. No real surprise there. As they have configured those scanners to block zip files it didn't matter that we renamed them, as was suggested by the head if corporate IT. Of course we very quickly discovered that be repacking them as RAR (or just about any other archiver) those same files got through just fine.

Was any of that helpful for security? No way! All it did was cause the users some inconvenience and made it impossible for senior managers to send or receive zip files, as they didn't know how to RAR a file (and we weren't volunteering to teach them). This of course eventually caused the policy to be overturned.

Would I ever implement such a policy? No. I prefer to educate my users and have few enough of them that the success rate is very good.

Solution 3:

We used to have the joy of only accepting zips that were prepended with our company initials at the start of the filename - xxMyZippedFile.zip

In theory this stops automated Bot viruses from being received, perhaps it even worked, but it annoyed & confused the hell out of a lot of users!

Related

Is there anyway to connect to a Switch/Router console port with a RJ45-RJ45 cable?
Is there any remote desktop software accessible via a browser for linux?
Load balancing based on session cookie?
Windows Server 2008 R2 Domain Controller Backup
APC Smart-UPS: remote power shutoff?
What tools are there to create and manage an apt repository?
How does UDP track connections?
Connect to Postgres remotely, open port 5432 for Postgres in iptables
How to allow password based login from a given IP-range, force others to use PubKey
Override template shell on linux system in Active Directory domain?
Clear arp cache
What is an "application firewall"?