Blocking .exe attachments
"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers. Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little. We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.
Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
The procmail recipe can use the same regular expression used by Postfix:
:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null
$banned_filename_re = new_RE(
qr'.\.(bat|exe|scr)$'i,
qr'^\.(exe|zip|lha|tnef)$'i, # banned file(1) types
);
http://support.microsoft.com/kb/883260/ - describes the XPSP2 Attachment Manager and lists dangerous types
MailEnable:
see: http://www.mailenable.com/kb/Content/Article.asp (Thanks Jon!)Exchange:
Technet has an article with details for Exchange 2007.Exim:
Use the "acl_smtp_mime" feature and add:# File extension filtering.
deny message = Blocklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
(Thanks Greg!)
Postfix:
Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.((this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)
bat|exe|scr))(\?=)?"?\s*(;|$)/x
REJECT 598 Attachment name "$2" may not end with ".$3"
Procmail:
The procmail recipe can use the same regular expression used by Postfix:
:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null
Amavisd-new:
Amavisd-new can be configured to block based on filename by setting up the following in amavisd.conf (note, that amavisd-new can also do more accurate checking based on examining the file 'magic' values as shown in the second regex below, so simply renaming a .zip to .piz, for example, won't allow the attachment through):
$banned_filename_re = new_RE(
qr'.\.(bat|exe|scr)$'i,
qr'^\.(exe|zip|lha|tnef)$'i, # banned file(1) types
);
Sendmail:
The preferred method to block these in sendmail (8.12.x and later) is with a milter. One of the most popular is MIMEdefang (http://www.mimedefang.org), which includes a default filter that blocks these and a number of other "bad" file types.References:
http://support.microsoft.com/kb/883260/ - describes the XPSP2 Attachment Manager and lists dangerous types
Keywords:
0 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
×
Diary Archives
Comments