X-Mailer: exmh version 2.1.1 (devel) From: David Woodhouse To: all.staff@axiom.internal Subject: Rules for sending and accepting email attachments. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 23 May 2000 10:08:57 +0100 Message-ID: <1668.959072937@devel2.axiom.internal> Sender: dwmw2@devel2.axiom.internal Certain types of file are capable of including code which a computer may blindly execute, which can be used to spread virii, and may cause significant loss of data or even send private data by email to a third party. Furthermore, if a virus then resends itself to all our customers, it makes us look incompetent. To protect the company's data and privacy, and also the company's image, it is extremely important to ensure that we are not vulnerable to such attacks. The only safe way of ensuring this is to apply some common sense to the exchange of data and other files, especially in email. We're citing email here because it's the most common form of data exchange these days, but files on a floppy disc or CD-ROM, or indeed any other medium, should be treated identically, using the guidelines set out below. Files which we currently consider to be 'dangerous' include: *.EXE - Windows Executable *.COM - DOS Executable *.BAT - DOS Batch file *.DOC - Microsoft Word document, which may include macro virii *.XLS - Microsoft Excel document, likewise *.VBS - Visual Basic Script *.VBE - Encoded Visual Basic *.WSF - Windows Scripting File *.WSH - Windows Scripting Host Settings file *.WSC - Windows Script Component *.JSE - JavaScript There is a more complete list at: http://officeupdate.microsoft.com/2000/articles/out2ksecFileTypes.htm The general rule is: You should NEVER accept or send documents of these types. If you accept such a document, and it turns out to have a virus, then you may be personally responsible for the deletion or publication of the whole of the contents of the company's network. This is a BadThing(tm). If you send such a document to a customer, you may only destroy all _their_ data - which is less catastrophic, but still not particularly good for our image (or our sales to that particular company.) There may be exceptions to this rule, but they are few and far between. The only two filetypes whose presence in the above list is likely to upset you frequently are Word and Excel documents. However, almost all the time when you may previously have blithely sent a Word or Excel document, you'll find that you could easily have saved it in another form first. As a guideline, here are some of the alternatives: For a Word document: 1. If it doesn't contain any important formatting, then then send it as plain text. It's far easier for people to deal with it like this. 2. If it contains some formatting, but isn't particularly complex, then send it as Rich Text Format (RTF), which is a safe, but quite simple, standard format. You can check the suitability of RTF by saving as RTF and then re-loading the document yourself. 3. If the formatting is complex and important (contains many tables etc.), and if the recipient does not need to edit the document, then you could print it to a PostScript or PDF file and send it like that. There is a 'PDF' print queue on the server which makes this simple, by sending you an email containing a PDF file of whatever you print to that queue. 4. If the formatting must be preserved AND the recipient must be able to edit the document, then PERHAPS you have a case for sending it in Word format. Before doing so, you MUST: - confirm with a sysadmin that there is no suitable alternative. - obtain confirmation from the recipient that they are happy to accept it in such a format. For an Excel document: 1. If it contains only data, and no formulae, then you can save it as Comma Separated Values (CSV). If the recipient is not going to be editing the data, then even if the sheet contains formulae then this will be OK, because the CSV file will contain the last calculated value of the formula in each cell. As with RTF above, you should save your file as CSV and then import it again to check that it is OK. 2. If you must exchange data which is to be edited, and keep the formulae intact, then you should set up a template for the sheet, with all the formulae present, into which only the numbers need to be imported. Then send each other CSV files with only the numbers. 3. For one-off transfers of complete spreadsheets, see Word#4 above: - confirm with Peter or myself that there is no suitable alternative. - obtain confirmation from the recipient that they are happy to accept it in such a format. When you receive documents by email or other means, you should also use these guidelines. If the document has been sent in an unsafe format, then you should only accept it under the following conditions: 1. You know _exactly_ what the nature of the document is and you were expecting it to arrive. 2. It is absolutely necessary (according to the above guidelines) that the document be exchanged in an unsafe format, rather than one of the many alternatives. 3. You know and trust the sender - not only that they are not malicious, but you know that they operate a responsible policy with regard to exchange of documents and that they are entirely safe from virii and could not be accidentally sending an infected file. (N.B. This is almost never the case, but may be true for exchanging files between our Cambridge and Corlo offices, if both sites are be following these rules to the letter.) If any of these three conditions are not met, then you must first ask the sender to resend the document in an appropriate form if possible, or if it was absolutely necessary to send the document in a dangerous form, then you should consult a system administrator who will verify the safety of the document in a safe environment before allowing you to use it. I'm aware that these rules can sometimes be a pain, but they're about as necessary as stopping at the kerb and looking both ways before crossing the road. If you accept document types which are known to be dangerous, without following these rules as set out for our collective safety, then you may be responsible for catastrophic damage. -- dwmw2