Demanding your clients to change extensions from .zip to .txt for mail attachments

A company we are working with has a few ridiculous security measures. One of them goes like this:

  • You cannot e-mail us .zip files. If you want to transmit a .zip file, rename it to .txt.

IMHO, there is no good reason for this. I can only see two reasons to do such a thing:

  • Their employees are idiots and click on every zip file, and every .exe/.vbs/britney.jpg.com file in the zipfile. By only telling the smart people to use the rename-to-.txt files trick, the stupid people pose no threat. Actually, I like this explanation.
  • There is a known bug in the email software which auto-opens .zipfiles and gets infected. Renaming prevents the software to do this.

Other than that, when the .txt arrives, their user still has to re-rename it to .zip and then we are back to square 1: we have a potentially unsafe zipfile.

Am I missing something? Is there any reason why this could be a recommended practice?


Solution 1:

IMHO no, at least I can't think of any good reason. Actually, it doesn't increase security, but decreases it. They should implement a good virus scanner at the mail gateway (and on the client workstations) and with this, mostly eliminate the zip threat. After that, if they manage to educate their users that they shouldn't open files they didn't expect and, when in doubt, ask for confirmation from the sender, that's about all they can do without just removing all zip attachments at the gateway.

Solution 2:

Sounds like a company I worked for once. :(

Here's the thing we discovered when forced to that same bit of lunacy. Every one of the six antivirus scanners that checked incoming mail detected that they were zip files, regardless of what we named them. No real surprise there. As they have configured those scanners to block zip files it didn't matter that we renamed them, as was suggested by the head if corporate IT. Of course we very quickly discovered that be repacking them as RAR (or just about any other archiver) those same files got through just fine.

Was any of that helpful for security? No way! All it did was cause the users some inconvenience and made it impossible for senior managers to send or receive zip files, as they didn't know how to RAR a file (and we weren't volunteering to teach them). This of course eventually caused the policy to be overturned.

Would I ever implement such a policy? No. I prefer to educate my users and have few enough of them that the success rate is very good.

Solution 3:

We used to have the joy of only accepting zips that were prepended with our company initials at the start of the filename - xxMyZippedFile.zip

In theory this stops automated Bot viruses from being received, perhaps it even worked, but it annoyed & confused the hell out of a lot of users!