Demanding your clients to change extensions from .zip to .txt for mail attachments

Question

A company we are working with has a few ridiculous security measures. One of them goes like this:

You cannot e-mail us .zip files. If you want to transmit a .zip file, rename it to .txt.

IMHO, there is no good reason for this. I can only see two reasons to do such a thing:

Their employees are idiots and click on every zip file, and every .exe/.vbs/britney.jpg.com file in the zipfile. By only telling the smart people to use the rename-to-.txt files trick, the stupid people pose no threat. Actually, I like this explanation.
There is a known bug in the email software which auto-opens .zipfiles and gets infected. Renaming prevents the software to do this.

Other than that, when the .txt arrives, their user still has to re-rename it to .zip and then we are back to square 1: we have a potentially unsafe zipfile.

Am I missing something? Is there any reason why this could be a recommended practice?

score 4 · Accepted Answer · answered Jul 12 '10 at 09:00

IMHO no, at least I can't think of any good reason. Actually, it doesn't increase security, but decreases it. They should implement a good virus scanner at the mail gateway (and on the client workstations) and with this, mostly eliminate the zip threat. After that, if they manage to educate their users that they shouldn't open files they didn't expect and, when in doubt, ask for confirmation from the sender, that's about all they can do without just removing all zip attachments at the gateway.

It decreases it because it gives a false sense of security, or is there an actual added risk? — Konerak, Aug 07 '11 at 15:09

score 4 · Answer 2 · answered Jul 12 '10 at 09:23

Sounds like a company I worked for once. :(

Here's the thing we discovered when forced to that same bit of lunacy. Every one of the six antivirus scanners that checked incoming mail detected that they were zip files, regardless of what we named them. No real surprise there. As they have configured those scanners to block zip files it didn't matter that we renamed them, as was suggested by the head if corporate IT. Of course we very quickly discovered that be repacking them as RAR (or just about any other archiver) those same files got through just fine.

Was any of that helpful for security? No way! All it did was cause the users some inconvenience and made it impossible for senior managers to send or receive zip files, as they didn't know how to RAR a file (and we weren't volunteering to teach them). This of course eventually caused the policy to be overturned.

Would I ever implement such a policy? No. I prefer to educate my users and have few enough of them that the success rate is very good.

You think the "distinguish auto-mail from human-sent-mail" benefit is not worth the cost? Is there any other way to get that benefit (with a more acceptable cost)? — Konerak, Jul 12 '10 at 09:35
If you really can distinguish the two there would be very great benefit. Unfortunately I know of no real way, other than through file signatures, as used by AV scanners. Using different extensions is not a foolproof way and the inconvenience to users far outweighs the advantages. — John Gardeniers, Jul 12 '10 at 09:55
While most AV programs are smart enough to detect 'cloaked' compressed files, surprisingly few of them actually have any protection against zip bombs (in my experience). — symcbean, Jul 12 '10 at 12:20

score 2 · Answer 3 · answered Jul 12 '10 at 09:09

2

We used to have the joy of only accepting zips that were prepended with our company initials at the start of the filename - xxMyZippedFile.zip

In theory this stops automated Bot viruses from being received, perhaps it even worked, but it annoyed & confused the hell out of a lot of users!

answered Jul 12 '10 at 09:09

Jon Rhoades

4,989
3
30
47

Aha, so it can be a way to distinguish between "real mail from your contact person" and "automatically sent mail". Okay, but aren't there better (and less painful) ways? – Konerak Jul 12 '10 at 09:12
@Konerak - and given the the amount of targeting phishing scams we get, wouldn't take much to customise a highly effective virus attack! – Jon Rhoades Jul 12 '10 at 12:15

score 1 · Answer 4 · answered Jul 12 '10 at 11:16

seems pretty silly to rename absolutely every zips to text files.

for us, we allow in any standard zips, but executables and other potential nasties will be stripped out.

if the user really needs these files, then the sender can rename the extension to our company initials before sending. no calls required after that point.

password protected zips get quarantined since these can't be virus checked and there was a spate of viruses using this method.

valid attachments can be resent, or added to exception list or a rule if they are going to be regular.

score 0 · Answer 5 · answered Jul 12 '10 at 12:15

0

It is stupid, but until mail programs and AV are smart enough to handle it, there is no way around it aside from turning it off completely and not checking them.

answered Jul 12 '10 at 12:15

3

"until mail programs and AV are smart enough to handle it" - WTF? – symcbean Jul 12 '10 at 12:17
it really is kind of hard to know whet you're trying to say there. Perhaps you should edit and clarify what you mean. – John Gardeniers Jul 13 '10 at 09:46
She probably registered (!) to say that if you cannot change this, ... – Konerak Jul 15 '10 at 12:26

Demanding your clients to change extensions from .zip to .txt for mail attachments

5 Answers5