Autor: Alan J. Flavell Data: A: Exim User's Mailing List Assumpte: RE: [exim] Securing Email for the prying eyes of any government
On Thu, 13 Jan 2005, Jan-Peter Koopmann wrote:
> Ease of use for many people.
Insecurity is only *too* easy, yes. Sadly.
> and I usually do not send EXEs (and I block incoming and outgoing
> EXEs on the gateways). But for a lot of people sending EXEs is a lot
> simpler that setting up some sort of storage, loading stuff up
> there, assuring your communication partner has access to it etc.
> Even thinking about it costs them too much money.
However, the recipient *ought* to be operating in a regime which
forbids them to execute code that has arrived via email, at least
until they have done an in-depth security audit of the individual
item. The fact that they are /accustomed/ to receive executable code
from that sender address is *NO* proof that the present instance of
executable code is bona fide: quite the contrary, since viruses tend
to fake those very addresses from which one is accustomed to receive
mail.
And forcing the recipient to do that security audit on their incoming
mail is -far- more expensive, in total, than taking a moment to do the
job more securely, i.e pop the item into one's web sub-tree, and tell
them its URL (and hopefully its md5sum too).
In short, it's damnable bad manners to send anyone executable code as
a mail attachment - even if the mail admin permits it to get through
(we normally don't, but that's by the by).
