Email Attachments and MailScanner
MailScanner is a highly respected open-source email security system design for Linux-based email gateways. It is used at over 40,000 sites around the world, protecting top government departments, commercial corporations, and educational institutions. This technology has fast become the standard email solution at many ISP sites for virus protection and spam filtering.
MailScanner scans email for viruses, spam, phishing, malware, and other attacks against security vulnerabilities and plays a major part in the security of a network. By virtue of being open source, the technology in MailScanner has been reviewed many times over by some of the best and brightest in the field of computer security from around the world. MailScanner supports a wide range of MTAs and virus scanners to include the popular open-source Clam AV.
Simply Web Services uses MailScanner on our email servers. MailScanner restricts certain file types as attachments.
The following is a list of some of the file attachments that may be blocked by the service (the attachments are removed from emails before delivery to you and may be placed in a quarantine area for a few days should you wish to receive them) (Source: MailScanner):
These are known to be dangerous in almost all cases.
.reg = Possible Windows registry attack
.chm = Possible compiled Help file-based virus
.cnf = Possible SpeedDial attack
.hta = Possible Microsoft HTML archive attack
.ins = Possible Microsoft Internet Comm. Settings attack
.jse = Possible Microsoft JScript attack
.lnk = Possible Eudora *.lnk security hole attack
.ma = Possible Microsoft Access Shortcut attack
.pif = Possible MS-Dos program shortcut attack
.scf = Possible Windows Explorer Command attack
.sct = Possible Microsoft Windows Script Component attack
.shb = Possible document shortcut attack
.shs = Possible Shell Scrap Object attack
.vbe or .vbs = Possible Microsoft Visual Basic script attack
.wsc .wsf .wsh = Possible Microsoft Windows Script Host attack
.xnk = Possible Microsoft Exchange Shortcut attack
These 2 added by popular demand – Very often used by viruses
.com = Windows/DOS Executable
.exe = Windows/DOS Executable
These are very dangerous and have been used to hide viruses
.scr = Possible virus hidden in a screensaver
.bat = Possible malicious batch file script
.cmd = Possible malicious batch file script
.cpl = Possible malicious control panel item
.mhtml = Possible Eudora meta-refresh attack
Deny filenames ending with CLSID’s
{[a-hA-H0-9-]{25,}\} = Filename trying to hide its real extension
Examples:
A977FF0C-8757-4E76-8533-
000209FF-0000-0000-C000-
Deny filenames with lots of contiguous white space in them.
Filename contains lots of white space
Deny all other double file extensions. This catches any hidden filenames.
Found possible filename hiding
Examples:
.txt.pif
.doc.pif
.doc.com
.txt.exe
The double-file extension seems to be a common problem. We see it often when people are compressing or zipping a file, then the file extension might be .txt.zip.
Please note that we block this for all email clients