
Email Attachments and MailScanner
MailScanner is a highly respected open-source email security system designed for Linux-based email gateways. It is used at over 40,000 sites worldwide, protecting top government departments, commercial corporations, and educational institutions. This technology has quickly become the standard email solution at many ISP sites for virus protection and spam filtering.
MailScanner scans email for viruses, spam, phishing, malware, and other attacks targeting security vulnerabilities, and plays a major role in a network’s security. Because MailScanner is open source, its technology has been reviewed many times by some of the best and brightest in computer security worldwide. MailScanner supports a wide range of MTAs and virus scanners, including the popular open-source Clam AV.
Simply Web Services uses MailScanner on our email servers. MailScanner restricts certain file types as attachments.
The following is a list of some of the file attachments that may be blocked by the service (the attachments are removed from emails before delivery to you and may be placed in a quarantine area for a few days should you wish to receive them) (Source: MailScanner):
These are known to be dangerous in almost all cases.
.reg = Possible Windows registry attack
.chm = Possible compiled Help file-based virus
.cnf = Possible SpeedDial attack
.hta = Possible Microsoft HTML archive attack
.ins = Possible Microsoft Internet Comm. Settings attack
.jse = Possible Microsoft JScript attack
.lnk = Possible Eudora *.lnk security hole attack
.ma = Possible Microsoft Access Shortcut attack
.pif = Possible MS-Dos program shortcut attack
.scf = Possible Windows Explorer Command attack
.sct = Possible Microsoft Windows Script Component attack
.shb = Possible document shortcut attack
.shs = Possible Shell Scrap Object attack
.vbe or .vbs = Possible Microsoft Visual Basic script attack
.wsc ,.wsf ,.wsh = Possible Microsoft Windows Script Host attack
.xnk = Possible Microsoft Exchange Shortcut attack
Commonly blocked — frequently used by viruses
.com = Windows/DOS Executable
.exe = Windows/DOS Executable
These are very dangerous and have been used to hide viruses
.scr = Possible virus hidden in a screensaver
.bat = Possible malicious batch file script
.cmd = Possible malicious batch file script
.cpl = Possible malicious control panel item
.mhtml = Possible Eudora meta-refresh attack
Deny filenames ending with CLSID’s
Some malicious files use a CLSID — a long string of numbers and letters in curly braces — to disguise their true file extension. MailScanner blocks these automatically.
{[a-hA-H0-9-]{25,}\} = Filename trying to hide its real extension
Examples:
A977FF0C-8757-4E76-8533-
000209FF-0000-0000-C000-
Deny filenames with lots of contiguous whitespace.
Malicious files sometimes use extra spaces in their filename to push the real file extension off-screen, making them appear safe. MailScanner blocks these filenames to prevent this trick.
Deny all other double file extensions. This catches any hidden filenames.
Found possible filename hiding
Examples:
.txt.pif
.doc.pif
.doc.com
.txt.exe
The double-file extension seems to be a common problem. We often see this when people are compressing or zipping a file; the file extension might be .txt.zip.
Please note that we block this for all email clients.
What to Do If Your Attachment Was Blocked
If you are an SWS client and you are expecting an email attachment that never arrived, there is a good chance MailScanner flagged it before it reached your inbox. Blocked attachments are not immediately deleted — they are held in a quarantine area for a short period, giving us a window to retrieve them if needed.
Here is what you should do:
- Contact the sender and ask them to confirm the file extension they used
- Ask them to compress the file into a .zip archive and resend it
- Contact Simply Web Services support if you believe a legitimate file was blocked and needs to be retrieved from quarantine
MailScanner is working hard behind the scenes to keep your inbox and your computer safe. When in doubt, always reach out to us before attempting to work around any email security measures — we are here to help.
FAQs
Simply Web Services uses MailScanner on all email servers to automatically scan and filter incoming attachments for viruses, malware, and known dangerous file types. If your attachment was blocked, the file extension it uses (.exe, .bat, .vbs, etc.) is on MailScanner's restricted list because it is commonly used to deliver malware. The attachment is not deleted immediately — it is placed in a quarantine area for a few days, during which time your web host can retrieve it if the file is confirmed safe.
MailScanner blocks a wide range of file extensions that are commonly associated with viruses and malicious software, including executable files (.exe, .com), script files (.vbs, .bat, .cmd, .jse), shortcut files (.pif, .lnk, .scf), and many others. Files with double extensions (such as .txt.exe or .doc.pif) are also blocked because they are often used to disguise malicious files as harmless documents. See the full list on this page for all blocked file types.
The safest approach is to compress the file into a .zip or .7z archive before sending it. Note that double file extensions (e.g., .txt.zip where the original file was .txt) may still trigger the filter. If you need to receive a specific file that was blocked, contact Simply Web Services support — we can check the quarantine area and retrieve the attachment if it is confirmed to be safe.
ClamAV is a free, open-source antivirus engine that MailScanner uses to scan email attachments for known viruses, trojans, and malware. When an email arrives on the server, MailScanner passes attachments through ClamAV for scanning. If a threat is detected, the attachment is removed before the email is delivered to your inbox — keeping your computer and your data safe.
Yes, it is possible for MailScanner to block a legitimate file if it uses a file extension that appears on the restricted list — even if the file itself is harmless. This is by design, as the goal is to prevent dangerous files from reaching your inbox before you can verify their safety. If you are expecting a specific file that hasn't arrived, check with your sender to confirm the file extension, and contact our support team if you believe it was blocked in error.
Have questions about a blocked email attachment or quarantined file?
Simply Web Services uses MailScanner on all of our email servers to protect clients from viruses, malware, and dangerous file attachments. If a legitimate file was blocked, or you need help sending a large or restricted attachment.