How many of you have blanket blocks on various extensions? If so, what do you block? If you don't block based on extension what do you do? AV scan all attachments?
Printable View
How many of you have blanket blocks on various extensions? If so, what do you block? If you don't block based on extension what do you do? AV scan all attachments?
Hi Geoff,
I use MailScanner (::: Official Home Page for MailScanner - Anti-Virus and Anti-Spam Filter :::) along with SpamAssassin for scanning our email, which by default blocks quite a few file extensions. I've attached the default rule list, which also contains explanations of why various extensions are blocked. zip files etc. are allowed, but the contents are virus scanned by the email filter.
I've been running this for a few years now, and so far have never had any complaints of things getting blocked that shouldn't be.
Iain.
This is our /etc/MailScanner/filename.rules.conf
Code:[/etc/MailScanner/filenam Row 1 Col 1 11:14 Ctrl-X H for help
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete, then regular expression, then log text,
# then user report text.
#
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack
# JKF 01/01/2006 Another Microsoft security vulnerability
#deny \.wmf$ Windows Metafile security vulnerability
# JKF 04/01/2005 More Microsoft security vulnerabilities
#deny \.bmp$ Windows bitmap file security vulnerability
deny \.ico$ Windows icon file security vulnerability
deny \.ani$ Windows animated cursor file security vulnerabi
deny \.cur$ Windows cursor file security vulnerability
deny \.hlp$ Windows help file security vulnerability
# These 4 are well known viruses.
No modified files, so no updates needed.
[root@mailhub1 ~]# cat /etc/MailScanner/filename.rules.conf
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete, then regular expression, then log text,
# then user report text.
#
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
# JKF 01/01/2006 Another Microsoft security vulnerability
#deny \.wmf$ Windows Metafile security vulnerability Possible format attack in Windows
# JKF 04/01/2005 More Microsoft security vulnerabilities
#deny \.bmp$ Windows bitmap file security vulnerability Possible buffer overflow in Windows
deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows
deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows
deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows
deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows
# These 4 are well known viruses.
deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
deny happy99\.exe$ "Happy" virus "Happy" virus
deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus
# JKF 08/07/2005 Several virus scanners may miss this one
deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses
# These are known to be mostly harmless.
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
allow \.txt$ - -
allow \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
# PGP and GPG
allow \.gpg$ - -
allow \.pgp$ - -
allow \.sig$ - -
allow \.asc$ - -
# Macintosh archives
allow \.hqx$ - -
allow \.sit.bin$ - -
allow \.sea$ - -
# These are known to be dangerous in almost all cases.
#deny \.gif$ Possible Spam Possible Spam
deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email
deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email
# These are new dangerous attachment types according to Microsoft in
# http://support.microsoft.com/?kbid=883260
deny \.cer$ Dangerous Security Certificate (according to Microsoft)Dangerous attachment according to Microsoft Q883260
deny \.its$ Dangerous Internet Document Set (according to Microsoft)Dangerous attachment according to Microsoft Q883260
deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
#deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft)Dangerous attachment according to Microsoft Q883260
deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
deny \.bat$ Possible malicious batch file script Batch files are often malicious
deny \.cmd$ Possible malicious batch file script Batch files are often malicious
deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
# Deny filenames with lots of contiguous white space in them.
deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it
# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$ - -
# Deny all other double file extensions. This catches any hidden filenames.
#deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
Yes, we block attachments. Most are the Zimbra default though:
asd, bat, chm, cmd, com, dll, exe, hlp, hta, js, jse, lnk, mov, ocx, pif, reg, rm, scr, shb, shm, shs, vbe, vbs, vbx, vxd, wav, wmf, wsf, wsh
Zimbra also passes messages through its virus scanner.
Any Exchange users doing blocking with it?
Exchange 2007 has built in Spam facilities which are far better than 2003 and they will suffice provided they are set up correctly.
I'm just starting to test the effects of different transport rules in 2007, it's surprisingly effective, plus the aforementioned spam improvements. We also have Groupshield on the server, but I'm still deciding if that's a wise decision.Quote:
Originally Posted by Geoff
Caveat: Our mail gets pre-filtered at county for dodgyness (executable content/malware), so I'm mainly using mine to detect obvious spam that county mail filtering doesn't pick up on (Acai / Viagra / Cialis in the subject line), plus internal > internal stuff I don't want going over the mail system (hilarious "shut down computer" shortcut labelled Games", for example).
The reverse of this is, sending email from school to parents. If you send text, no problems (barring the parents that haven't told us they've changed email address because they have changed job or whatever, and I have an automated snail-mail standard letter for them); but anything with images of any sort - and they do make school emails look nicer - seems to bounce from time to time. png file extensions are routinely bounced by recipient systems with .gov.uk addresses. The only way I can guarantee an email with images reaches everyone is to convert to pdf and send that as an attachment.
What software do you use to do this ?Quote:
Originally Posted by Ketlane
I've been asked to get something running for one of the secretaries to do this for the weekly newsletters.
Sorry to go off topic.
Our MIS, SchoolBase, is great for this - holds stacks of mailmerge letters which we can write, does the whole Readers Digest mailmerge bit if you want. After mass e-mailout last week, it generated the letters to send by snailmail - tedious bit was signing them and stuffing envelopes; it also has the neat trick that if you do a mailmerge to email it automatically generates snailmail versions for parents without email.