Jump to content


Photo

Attachment filtering vs Whitelisting email address/domains


  • This topic is locked This topic is locked
5 replies to this topic

#1 Anthony DeHart

Anthony DeHart
  • Members
  • 66 posts

Posted 18 April 2007 - 03:07 PM

Is it just me or does it seem absolutely unbelievable that the Barracuda will let all extensions through that are on the extension block list for any whitelisted domain, email address, or ip address?I know it used to block extensions even if the address is whitelisted but now that behavior has changed. When I spoke with support, they claim that was a bug and now has been fixed. I'm using firmware v3.4.10.087.Does anyone have a way to block certain extensions no matter what?I filter a lot of stuff that is associated with junk or jokes (wmv, wav, etc.) and I don't want it getting in no matter who it is from. It would seem better to have a list of extensions that can be marked as before or after address whitelisting OR you can have an exception list that says these extensions are ALWAYS filtered. Either way, this seems like a big hole to me. Am I just being paranoid?I apologize if this is answered elsewhere but I could not find a comment regarding this other than the opposite of what I'm seeing now.Thanks - Anthony

#2 John Gerlach

John Gerlach
  • Members
  • 0 posts

Posted 18 April 2007 - 09:00 PM

The topic hasn't really been discussed from this end. I believe many people have requested to be able to receive attachments from whitelisted or trusted senders and a change appears to have been made to accommodate them.Meanwhile I have been waiting for a bug fix to effectively block all attachment types that are listed (Bug #10437 if my memory serves). I can easily reproduce sending a zip file through the Barracuda from a non-whitelisted sender even though the zip extension is on our block list. Ever since we installed our Barracuda unit I have left our old Symantec Gateway in place. By monitoring what it sees I can see how good a job the Barracuda Spam Firewall is doing (and overall it does really well, except in this regard). I am glad I did as this seems to be the only effective way to strip all of the attachments that are allowed through.It would be nice if a configuration option was included where we could choose to override the blocked attachment list if the source is a whitelisted sender. Then people could decide which way works better for their environment.I agree that it could also be a risk if some user triggers a mass mailing worm for which definitions are not yet available. The whitelisted addresses will make it much easier to propogate such infected attachments.

#3 Scott Edell

Scott Edell
  • Members
  • 0 posts

Posted 19 April 2007 - 09:27 AM

I've been having the same problem, and agree completely. We filter a lot of the garbage forwards containing wav, wmv, etc, and they get through because of a per-user whitelist. We have to archive all of our mail, and this kind of thing exponentially inflates the size of our archives.Aside from the forwards and what they do to the archives, if I choose to block .exe, or .vb files because they're dangerous, for example, I don't care if it's from a trusted (whitelisted) source or not. They shouldn't be attaching potentially dangerous files to e-mail, and I don't want it. This is particularly dangerous because viruses/trojans usually forge from addresses and can get right through the Barracuda. As fast as these things morph and change, it's not unheard of for things to get through before a virus definition is available (happened to us just this morning), and the first line of defense in this scenario already has holes in it.

#4 Anthony DeHart

Anthony DeHart
  • Members
  • 66 posts

Posted 19 April 2007 - 12:00 PM

I guess there is no work around for this then? I take it even using header filtering or body filtering of any kind is not possible?Does this need to be placed in FEATURE REQUEST part of the forums?As has been mentioned, given that a lot of stuff is propogated using forged contact lists, the likelihood of getting a contaminated email from a whitelisted contact is quite high. In many ways, this defeats the whole purpose of having this box here in the first place which is to keep the garbage like this out. If I were Barracuda, this would be VERY HIGH on my list of things to rectify.I think what disturbs me the most is that Barracuda makes changes like this and then does not make it obvious in the interface (even if in release notes) that this is the behavior of this extension block list. I think they give a certain false comfort by not defining this or spelling it out. It seems like a simple change to me.Personally, all I'd need is another box for an extension list that says ALWAYS BLOCK THESE EXTENSIONS? and then I'd just fill them in. Anything I want to have exceptions to, I'd put in the box that is there now except I'd change the wording such that it is obvious this happens AFTER whitelisting and that whitelisting takes precedence.- Anthony

#5 jashton

jashton
  • Members
  • 17 posts

Posted 19 April 2007 - 12:18 PM

I agree. If I block a filename extension, I want it blocked even if a sender is whitelisted, no exceptions. I believe this behavior changed with v3.4.x firmware because it used to work properly. It's hard to believe they still haven't fixed it yet. We recently had an incident where a user received a new virus from a whitelisted sender, and it got through because the .exe filename extension wasn't blocked, nor was the .zip file that contained it even though I routinely block them. Because the virus was so new, the user's desktop antivirus wasn't up-to-date either. The only thing that saved us was the user's Outlook wouldn't allow the dangerous file to be opened. If the extension blocking worked like it's supposed to it would never have gotten through.I'd love to hear from Barracuda on this.

#6 Anthony DeHart

Anthony DeHart
  • Members
  • 66 posts

Posted 20 April 2007 - 09:35 AM

I'm going to post this in the feature request list if I can't find it there already. My personal stance at this point and I'm sure management will back me up on this is that if this isn't fixed soon and certainly by maintenance renewal time, we'll probably ditch the Barracuda over this one problem. This is a serious, serious flaw! If tech support had said they were aware of it and would fix it that would be one thing but they basically said this was the way it was supposed to work and that was that.