One approach that could work at least within a unit level would be to have
alternate signatures for attachments/non-attachments. So within college
xyz, user John signs as John, however when a document is attached the same
user signs as JoHn or John @xyz etc, and this goes for all users. This fails
if the spammer knows the logic, but most spam text I have seen so far is
rarely signed. Uniform signature logic throughout a unit might be easier to
implement than getting people to explain the attachment, of course this
fails for someone who doesn't know the logic, the fallback then is
explaining what the attachment is.
-ViVek
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of STeve Andre'
Sent: Monday, December 11, 2006 3:41 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] Apparently a zero-day attack using Word is happening
Certainly a clever program could send out two emails in an
attempt to spoof the OOB message, but it won't look like the
style of someone known. Your idea of putting text in the
body of the message is good, but is equally spoofable, I'd
think, in that it could generate a long winded gasbag
explaination of what the attachment is. For either idea,
the best defense here is the originality of a person's writing.
Agreed about bad habbits. The number of no-subject emails
I have in my work archive is amazing.
--STeve Andre'
On Monday 11 December 2006 10:14, Chris Wolf wrote:
> I suggest a different approach that I think could work better. There are
> two problems with the "double-email" suggestion.
>
> First, it would be extremely easy for a worm to mimic this behavior, which
> would then make the technique worthless. Second, it's enough extra work to
> send two messages that few users will be convinced that it's worth it.
>
> Instead, I suggest that users always explain what the attachment is, in
> specific terms that the recipient will understand. So, instead of writing
> in the body of the message a generic "Here's the document", write "Here's
> my draft of the paper on pollution cleanup credits."
>
> The root of the problem is that many, many people have adopted very bad
> email habits, such as sending messages with blank subjects and writing
> messages like the afore-mentioned "Here's the document". It's this
behavior
> that has made it incredibly easy for the creator of a worm to construct a
> message that will fool people into opening an attachment. If people never
> sent real messages of the "Here's the document" type, the fake ones would
> stand out for what they are.
>
> I'll admit, however, that in order for any suggestion like this to work,
> you have to convince an awful lot of people to change their behavior. It
> may be a lost cause.
>
> > -----Original Message-----
> > From: MSU Network Administrators Group
> > [mailto:[log in to unmask]] On Behalf Of STeve Andre'
> > Sent: Saturday, December 09, 2006 8:50 AM
> > To: [log in to unmask]
> > Subject: Re: [MSUNAG] Apparently a zero-day attack using Word
> > is happening
> >
> > I've always interpreted that as you don't open attachments in
> > Windows unless you know the person you've gotten it from,
> > *and* you've been told that the attachment has been send to
> > you by that person in another email.
> >
> > I've been trying to get my users to first send email to
> > someone saying "I'm going to send attachment xy", and then to
> > send another email with the actual attachment. Using that
> > out-of- band communication is I think enough paranoia to get
> > around a clever virus that sends poisoned attachments to
> > friends via an addressbook.
> >
> > Given the rather secure nature of Windows at the moment, I
> > think this is needed. Agreed that MS deserves a large whack
> > on the head for building such a system and then blaming the users...
> >
> > --STeve Andre'
> >
> > On Friday 08 December 2006 12:53, Tom Rockwell wrote:
> > > From the MS website: "As a best practice, users should always
> > > exercise extreme caution when opening unsolicited attachments from
> > > both known and unknown sources."
> > >
> > > What the heck does does that mean? How do I exercise
> >
> > extreme caution
> >
> > > when opening a file? Is that like being careful when I pick up a
> > > frying pan that may be hot --- sort of hold my hand close to it and
> > > then touch it lightly to see if it is to hot? Am I
> >
> > supposed to click
> >
> > > slowly on the file or something? Click on the file, but
> >
> > look away from the monitor?
> >
> > > I hate the way that Microsoft tries to shift blame to the user and
> > > puts out such meaningless statements about security.
> > >
> > > Better advice would be that all users of Word take the next
> >
> > week off
> >
> > > and wait for the patch.
> > >
> > > /rant off
> > >
> > > -Tom
> > >
> > > Cheryl Akers wrote:
> > > > Published: December 5, 2006
> > > > http://www.microsoft.com/technet/security/advisory/929433.mspx
> > > >
> > > > Microsoft is investigating a new report of limited
> >
> > �zero-day�attacks
> >
> > > > using a vulnerability in Microsoft Word 2000, Microsoft
> >
> > Word 2002,
> >
> > > > Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft
> > > > Word
> > > > 2004 for Mac, and Microsoft Word v. X for Mac, as well as
> >
> > Microsoft
> >
> > > > Works 2004, 2005, and 2006.
> > > >
> > > > Also see
> > >
> > >http://www.symantec.com/enterprise/security_response/weblog/2006/12/m
> > >
> > > >icro
> > > >soft_word_0day_under_inve.html
> > > >
> > > > Cheryl
> > > >
> > > > Cheryl Akers, MS, CNA - [log in to unmask] Microcomputer Support -
> > > > Microbiology and Molecular Genetics 2228C Biomedical Physical
> > > > Sciences Michigan State University East Lansing, MI 48824
> > > >
> > > > 517-355-6463 X1514
> > > >
> > > > "I try to take one day at a time, but sometimes, several
> >
> > days attack
> >
> > > > me at once."
> > > > Jennifer Unlimited
