A company we are working with has a few ridiculous security measures. One of them goes like this:
- You cannot e-mail us .zip files. If you want to transmit a .zip file, rename it to .txt.
IMHO, there is no good reason for this. I can only see two reasons to do such a thing:
- Their employees are idiots and click on every zip file, and every .exe/.vbs/britney.jpg.com file in the zipfile. By only telling the smart people to use the rename-to-.txt files trick, the stupid people pose no threat. Actually, I like this explanation.
- There is a known bug in the email software which auto-opens .zipfiles and gets infected. Renaming prevents the software to do this.
Other than that, when the .txt arrives, their user still has to re-rename it to .zip and then we are back to square 1: we have a potentially unsafe zipfile.
Am I missing something? Is there any reason why this could be a recommended practice?
Best Answer
IMHO no, at least I can't think of any good reason. Actually, it doesn't increase security, but decreases it. They should implement a good virus scanner at the mail gateway (and on the client workstations) and with this, mostly eliminate the zip threat. After that, if they manage to educate their users that they shouldn't open files they didn't expect and, when in doubt, ask for confirmation from the sender, that's about all they can do without just removing all zip attachments at the gateway.