Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Blocking .exe attachments - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Blocking .exe attachments
"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers.  Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little.  We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.

Postfix:


Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
bat|exe|scr))(\?=)?"?\s*(;|$)/x
REJECT 598 Attachment name "$2" may not end with ".$3"
(this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)

Procmail:


The procmail recipe can use the same regular expression used by Postfix:

:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null


Amavisd-new:

 

Amavisd-new can be configured to block based on filename by setting up the following in amavisd.conf (note, that amavisd-new can also do more accurate checking based on examining the file 'magic' values as shown in the second regex below, so simply renaming a .zip to .piz, for example, won't allow the attachment through):

$banned_filename_re = new_RE(
   qr'.\.(bat|exe|scr)$'i,
   qr'^\.(exe|zip|lha|tnef)$'i,    # banned file(1) types
);


Sendmail:

The preferred method to block these in sendmail (8.12.x and later) is with a milter.  One of the most popular is MIMEdefang (http://www.mimedefang.org), which includes a default filter that blocks these and a number of other "bad" file types.

References:


http://support.microsoft.com/kb/883260/ - describes the XPSP2 Attachment Manager and lists dangerous types
I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3479 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!