Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blocking .exe attachments

Published: 2007-01-31
Last Updated: 2007-02-01 14:23:13 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)
"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers.  Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little.  We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.

MailEnable:

see: http://www.mailenable.com/kb/Content/Article.asp (Thanks Jon!)

Exchange:

Technet has an article with details for Exchange 2007.

Exim:

Use the "acl_smtp_mime" feature and add:
# File extension filtering.
deny message = Blocklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
(Thanks Greg!)

 

Postfix:


Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
bat|exe|scr))(\?=)?"?\s*(;|$)/x
REJECT 598 Attachment name "$2" may not end with ".$3"
(this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)

Procmail:


The procmail recipe can use the same regular expression used by Postfix:

:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null


Amavisd-new:

 

Amavisd-new can be configured to block based on filename by setting up the following in amavisd.conf (note, that amavisd-new can also do more accurate checking based on examining the file 'magic' values as shown in the second regex below, so simply renaming a .zip to .piz, for example, won't allow the attachment through):

$banned_filename_re = new_RE(
   qr'.\.(bat|exe|scr)$'i,
   qr'^\.(exe|zip|lha|tnef)$'i,    # banned file(1) types
);


Sendmail:

The preferred method to block these in sendmail (8.12.x and later) is with a milter.  One of the most popular is MIMEdefang (http://www.mimedefang.org), which includes a default filter that blocks these and a number of other "bad" file types.

References:


http://support.microsoft.com/kb/883260/ - describes the XPSP2 Attachment Manager and lists dangerous types
Keywords:
0 comment(s)
Diary Archives