Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Blocking .exe attachments SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Blocking .exe attachments
"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers.  Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little.  We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.


Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
REJECT 598 Attachment name "$2" may not end with ".$3"
(this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)


The procmail recipe can use the same regular expression used by Postfix:

* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)



Amavisd-new can be configured to block based on filename by setting up the following in amavisd.conf (note, that amavisd-new can also do more accurate checking based on examining the file 'magic' values as shown in the second regex below, so simply renaming a .zip to .piz, for example, won't allow the attachment through):

$banned_filename_re = new_RE(
   qr'^\.(exe|zip|lha|tnef)$'i,    # banned file(1) types


The preferred method to block these in sendmail (8.12.x and later) is with a milter.  One of the most popular is MIMEdefang (, which includes a default filter that blocks these and a number of other "bad" file types.

References: - describes the XPSP2 Attachment Manager and lists dangerous types
I will be teaching next: Intrusion Detection In-Depth - SANS London May 2021


4112 Posts
ISC Handler
Jan 31st 2007

Sign Up for Free or Log In to start participating in the conversation!