+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, Blocking Email Attachments via Extension in Technical; How many of you have blanket blocks on various extensions? If so, what do you block? If you don't block ...
  1. #1

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223

    Blocking Email Attachments via Extension

    How many of you have blanket blocks on various extensions? If so, what do you block? If you don't block based on extension what do you do? AV scan all attachments?

  2. #2
    Iain's Avatar
    Join Date
    Oct 2006
    Location
    Warwickshire
    Posts
    178
    Thank Post
    27
    Thanked 87 Times in 49 Posts
    Rep Power
    30
    Hi Geoff,

    I use MailScanner (::: Official Home Page for MailScanner - Anti-Virus and Anti-Spam Filter :::) along with SpamAssassin for scanning our email, which by default blocks quite a few file extensions. I've attached the default rule list, which also contains explanations of why various extensions are blocked. zip files etc. are allowed, but the contents are virus scanned by the email filter.

    I've been running this for a few years now, and so far have never had any complaints of things getting blocked that shouldn't be.

    Iain.
    Attached Files Attached Files

  3. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    338
    This is our /etc/MailScanner/filename.rules.conf


    Code:
         [/etc/MailScanner/filenam  Row 1    Col 1   11:14  Ctrl-X H for help
    #
    # NOTE: Fields are separated by TAB characters --- Important!
    #
    # Syntax is allow/deny/deny+delete, then regular expression, then log text,
    #           then user report text.
    #
    
    # Due to a bug in Outlook Express, you can make the 2nd from last extension
    # be what is used to run the file. So very long filenames must be denied,
    # regardless of the final extension.
    deny    .{150,}                 Very long filename, possible OE attack
    
    # JKF 01/01/2006 Another Microsoft security vulnerability
    #deny   \.wmf$                  Windows Metafile security vulnerability
    
    # JKF 04/01/2005 More Microsoft security vulnerabilities
    #deny   \.bmp$                  Windows bitmap file security vulnerability
    deny    \.ico$                  Windows icon file security vulnerability
    deny    \.ani$                  Windows animated cursor file security vulnerabi
    deny    \.cur$                  Windows cursor file security vulnerability
    deny    \.hlp$                  Windows help file security vulnerability
    
    # These 4 are well known viruses.
    No modified files, so no updates needed.
    [root@mailhub1 ~]# cat  /etc/MailScanner/filename.rules.conf
    #
    # NOTE: Fields are separated by TAB characters --- Important!
    #
    # Syntax is allow/deny/deny+delete, then regular expression, then log text,
    #           then user report text.
    #
    
    # Due to a bug in Outlook Express, you can make the 2nd from last extension
    # be what is used to run the file. So very long filenames must be denied,
    # regardless of the final extension.
    deny    .{150,}                 Very long filename, possible OE attack         Very long filenames are good signs of attacks against Microsoft e-mail packages
    
    # JKF 01/01/2006 Another Microsoft security vulnerability
    #deny   \.wmf$                  Windows Metafile security vulnerability        Possible format attack in Windows
    
    # JKF 04/01/2005 More Microsoft security vulnerabilities
    #deny   \.bmp$                  Windows bitmap file security vulnerability     Possible buffer overflow in Windows
    deny    \.ico$                  Windows icon file security vulnerability       Possible buffer overflow in Windows
    deny    \.ani$                  Windows animated cursor file security vulnerability                             Possible buffer overflow in Windows
    deny    \.cur$                  Windows cursor file security vulnerability     Possible buffer overflow in Windows
    deny    \.hlp$                  Windows help file security vulnerability       Possible buffer overflow in Windows
    
    # These 4 are well known viruses.
    deny    pretty\s+park\.exe$     "Pretty Park" virus                            "Pretty Park" virus
    deny    happy99\.exe$           "Happy" virus                                  "Happy" virus
    deny    \.ceo$          WinEvar virus attachment                               Often used by the WinEvar virus
    deny    webpage\.rar$   I-Worm.Yanker virus attachment                         Often used by the I-Worm.Yanker virus
    
    # JKF 08/07/2005 Several virus scanners may miss this one
    deny    \.cab$                  Possible malicious Microsoft cabinet file      Cabinet files may hide viruses
    
    # These are known to be mostly harmless.
    allow   \.jpg$                  -       -
    allow   \.gif$                  -       -
    # .url is arguably dangerous, but I can't just ban it...
    allow   \.url$                  -       -
    allow   \.vcf$                  -       -
    allow   \.txt$                  -       -
    allow   \.zip$                  -       -
    allow   \.t?gz$                 -       -
    allow   \.bz2$                  -       -
    allow   \.Z$                    -       -
    allow   \.rpm$                  -       -
    # PGP and GPG
    allow   \.gpg$                  -       -
    allow   \.pgp$                  -       -
    allow   \.sig$                  -       -
    allow   \.asc$                  -       -
    # Macintosh archives
    allow   \.hqx$                  -       -
    allow   \.sit.bin$              -       -
    allow   \.sea$                  -       -
    
    # These are known to be dangerous in almost all cases.
    #deny   \.gif$          Possible Spam                                          Possible Spam
    deny    \.reg$          Possible Windows registry attack                       Windows registry entries are very dangerous in email
    deny    \.chm$          Possible compiled Help file-based virus                Compiled help files are very dangerous in email
    # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
    deny    \.cnf$          Possible SpeedDial attack                              SpeedDials are very dangerous in email
    deny    \.hta$          Possible Microsoft HTML archive attack                 HTML archives are very dangerous in email
    deny    \.ins$          Possible Microsoft Internet Comm. Settings attack      Windows Internet Settings are dangerous in email
    deny    \.jse?$         Possible Microsoft JScript attack                      JScript Scripts are dangerous in email
    deny    \.job$          Possible Microsoft Task Scheduler attack               Task Scheduler requests are dangerous in email
    deny    \.lnk$          Possible Eudora *.lnk security hole attack             Eudora *.lnk security hole attack
    deny    \.ma[dfgmqrstvw]$       Possible Microsoft Access Shortcut attack      Microsoft Access Shortcuts are dangerous in email
    deny    \.pif$          Possible MS-Dos program shortcut attack                Shortcuts to MS-Dos programs are very dangerous in email
    deny    \.scf$          Possible Windows Explorer Command attack               Windows Explorer Commands are dangerous in email
    deny    \.sct$          Possible Microsoft Windows Script Component attack     Windows Script Components are dangerous in email
    deny    \.shb$          Possible document shortcut attack                      Shortcuts Into Documents are very dangerous in email
    deny    \.shs$          Possible Shell Scrap Object attack                     Shell Scrap Objects are very dangerous in email
    deny    \.vb[es]$       Possible Microsoft Visual Basic script attack          Visual Basic Scripts are dangerous in email
    deny    \.ws[cfh]$      Possible Microsoft Windows Script Host attack          Windows Script Host files are dangerous in email
    deny    \.xnk$          Possible Microsoft Exchange Shortcut attack            Microsoft Exchange Shortcuts are dangerous in email
    
    # These are new dangerous attachment types according to Microsoft in
    # http://support.microsoft.com/?kbid=883260
    deny    \.cer$          Dangerous Security Certificate (according to Microsoft)Dangerous attachment according to Microsoft Q883260
    deny    \.its$          Dangerous Internet Document Set (according to Microsoft)Dangerous attachment according to Microsoft Q883260
    deny    \.mau$          Dangerous attachment type (according to Microsoft)     Dangerous attachment according to Microsoft Q883260
    deny    \.md[az]$       Dangerous attachment type (according to Microsoft)     Dangerous attachment according to Microsoft Q883260
    #deny   \.prf$          Dangerous Outlook Profile Settings (according to Microsoft)                     Dangerous attachment according to Microsoft Q883260
    deny    \.pst$          Dangerous Office Data File (according to Microsoft)    Dangerous attachment according to Microsoft Q883260
    deny    \.tmp$          Dangerous Temporary File (according to Microsoft)      Dangerous attachment according to Microsoft Q883260
    deny    \.vsmacros$     Dangerous Visual Studio Macros (according to Microsoft)Dangerous attachment according to Microsoft Q883260
    deny    \.vs[stw]$      Dangerous attachment type (according to Microsoft)     Dangerous attachment according to Microsoft Q883260
    deny    \.ws$           Dangerous Windows Script (according to Microsoft)      Dangerous attachment according to Microsoft Q883260
    
    
    # These 2 added by popular demand - Very often used by viruses
    deny    \.com$          Windows/DOS Executable                                 Executable DOS/Windows programs are dangerous in email
    deny    \.exe$          Windows/DOS Executable                                 Executable DOS/Windows programs are dangerous in email
    
    # These are very dangerous and have been used to hide viruses
    deny    \.scr$          Possible virus hidden in a screensaver                 Windows Screensavers are often used to hide viruses
    deny    \.bat$          Possible malicious batch file script                   Batch files are often malicious
    deny    \.cmd$          Possible malicious batch file script                   Batch files are often malicious
    deny    \.cpl$          Possible malicious control panel item                  Control panel items are often used to hide viruses
    deny    \.mhtml$        Possible Eudora meta-refresh attack                    MHTML files can be used in an attack against Eudora
    
    # Deny filenames containing CLSID's
    deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type          Files containing  CLSID's are trying to hide their real type
    
    # Deny filenames with lots of contiguous white space in them.
    deny    \s{10,}         Filename contains lots of white space                  A long gap in a name is often used to hide part of it
    
    # Allow repeated file extension, e.g. blah.zip.zip
    allow   (\.[a-z0-9]{3})\1$      -       -
    
    # Deny all other double file extensions. This catches any hidden filenames.
    #deny   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding Attempt to hide real filename extension

  4. #4

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,374
    Thank Post
    625
    Thanked 951 Times in 653 Posts
    Blog Entries
    2
    Rep Power
    318
    Yes, we block attachments. Most are the Zimbra default though:

    asd, bat, chm, cmd, com, dll, exe, hlp, hta, js, jse, lnk, mov, ocx, pif, reg, rm, scr, shb, shm, shs, vbe, vbs, vbx, vxd, wav, wmf, wsf, wsh

    Zimbra also passes messages through its virus scanner.

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    Any Exchange users doing blocking with it?

  6. #6

    Join Date
    Oct 2007
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Exchange 2007 has built in Spam facilities which are far better than 2003 and they will suffice provided they are set up correctly.

  7. #7


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218
    Quote Originally Posted by Geoff View Post
    Any Exchange users doing blocking with it?
    I'm just starting to test the effects of different transport rules in 2007, it's surprisingly effective, plus the aforementioned spam improvements. We also have Groupshield on the server, but I'm still deciding if that's a wise decision.

    Caveat: Our mail gets pre-filtered at county for dodgyness (executable content/malware), so I'm mainly using mine to detect obvious spam that county mail filtering doesn't pick up on (Acai / Viagra / Cialis in the subject line), plus internal > internal stuff I don't want going over the mail system (hilarious "shut down computer" shortcut labelled Games", for example).

  8. #8

    Join Date
    Jan 2009
    Posts
    173
    Thank Post
    17
    Thanked 18 Times in 18 Posts
    Rep Power
    14
    The reverse of this is, sending email from school to parents. If you send text, no problems (barring the parents that haven't told us they've changed email address because they have changed job or whatever, and I have an automated snail-mail standard letter for them); but anything with images of any sort - and they do make school emails look nicer - seems to bounce from time to time. png file extensions are routinely bounced by recipient systems with .gov.uk addresses. The only way I can guarantee an email with images reaches everyone is to convert to pdf and send that as an attachment.

  9. #9
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    33
    Quote Originally Posted by Ketlane View Post
    The reverse of this is, sending email from school to parents. If you send text, no problems (barring the parents that haven't told us they've changed email address because they have changed job or whatever, and I have an automated snail-mail standard letter for them)
    What software do you use to do this ?
    I've been asked to get something running for one of the secretaries to do this for the weekly newsletters.

    Sorry to go off topic.

  10. #10

    Join Date
    Jan 2009
    Posts
    173
    Thank Post
    17
    Thanked 18 Times in 18 Posts
    Rep Power
    14
    Our MIS, SchoolBase, is great for this - holds stacks of mailmerge letters which we can write, does the whole Readers Digest mailmerge bit if you want. After mass e-mailout last week, it generated the letters to send by snailmail - tedious bit was signing them and stuffing envelopes; it also has the neat trick that if you do a mailmerge to email it automatically generates snailmail versions for parents without email.

SHARE:
+ Post New Thread

Similar Threads

  1. [MS Office - 2007] Outlook saving attachments WITHOUT extension
    By TheCrust in forum Office Software
    Replies: 0
    Last Post: 20th May 2009, 12:32 PM
  2. Exchange 2007 email blocking
    By itwasntme in forum How do you do....it?
    Replies: 2
    Last Post: 23rd January 2009, 03:24 PM
  3. Replies: 2
    Last Post: 11th March 2007, 03:34 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •