S 5.53 Protection against mail bombs

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, IT users

Mail bombs are e-mails which have been intentionally equipped with disruptive functions. For example, a mail bomb can consist of a compressed file which is sent along as an attachment and which, when unpacked, creates a countless number of subdirectories or takes up a lot of hard-disk space.

Archives, i.e. with zip programmes compressed files, should never be unpacked without being checked beforehand. To protect one's IT systems against Trojan horses and other disruptive functions possibly harboured by compressed files, it is advisable to view a list of the archived files together with their size before unpacking them. Archive files should also be scanned for computer viruses before being unpacked.

Self-extracting executable programmes with the extension *.exe should never be opened on regular workstations, as the contents of such programmes cannot be examined before unpacking.

New programmes should always be tested beforehand on IT systems which are isolated from the production system (refer to S 4.65 Testing new hardware and software).

In the case of Unix systems and other server-based operating systems, the following points should also be observed:

• Unfamiliar archives should never be unpacked under super-user authorisation, but only under a user ID with as little write access as possible.

• A file system with disk quota should be used to restrict the amount of disk space which a disruptive programme could occupy in the worst case.

Additional controls:

• Have users been informed about the potential threats posed by mail bombs?