Security Basics mailing list archives

Re: email attachement/extension block list

From: "shrek-m () gmx de" <shrek-m () gmx de>
Date: Sat, 21 Jan 2006 11:17:37 +0100

Aastra Security Support wrote:

I am looking at updating our email security in regards to blocking
attachments. So I am looking for a good recommendation of email
attachments/extension to block.

i am not really up2ate with mailscanner-4.47.4-1 but take a look at thedefault filename rules

http:/mailscanner.info
http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml

Other extension like .doc and .zip are a business requirement, so for
now we will allow then but we will scan for virus.


$ grep ^allow /etc/MailScanner/filename.rules.conf
allow   \.jpg$                  -       -
allow   \.gif$                  -       -
allow   \.url$                  -       -
allow   \.vcf$                  -       -
allow   \.txt$                  -       -
allow   \.zip$                  -       -
allow   \.t?gz$                 -       -
allow   \.bz2$                  -       -
allow   \.Z$                    -       -
allow   \.rpm$                  -       -
allow   \.gpg$                  -       -
allow   \.pgp$                  -       -
allow   \.sit$                  -       -
allow   \.asc$                  -       -
allow   \.hqx$                  -       -
allow   \.sit.bin$              -       -
allow   \.sea$                  -       -
allow   (\.[a-z0-9]{3})\1$      -       -

Some of the basic blocks consist of Bat,
Cmd, Exe, Pif, Scr, Vbs, .Shs some of the blocks on the bubble are .Lnk
and .Url.


$ grep ^deny /etc/MailScanner/filename.rules.conf

deny .{150,} Very long filename, possible OEattack Very long filenames are good signs of attacks againstMicrosoft e-mail packagesdeny \.ico$ Windows icon file securityvulnerability Possible buffer overflow in Windowsdeny \.ani$ Windows animated cursor file securityvulnerability Possible buffer overflow inWindowsdeny \.cur$ Windows cursor file securityvulnerability Possible buffer overflow in Windowsdeny \.hlp$ Windows help file securityvulnerability Possible buffer overflow in Windowsdeny pretty\s+park\.exe$ "Pretty Park"virus "Pretty Park" virusdeny happy99\.exe$ "Happy"virus "Happy" virusdeny \.ceo$ WinEvar virusattachment Often used by the WinEvar virusdeny webpage\.rar$ I-Worm.Yanker virusattachment Often used by the I-Worm.Yanker virusdeny \.cab$ Possible malicious Microsoft cabinetfile Cabinet files may hide virusesdeny \.reg$ Possible Windows registryattack Windows registry entries are very dangerousin emaildeny \.chm$ Possible compiled Help file-basedvirus Compiled help files are very dangerous in emaildeny \.cnf$ Possible SpeedDialattack SpeedDials are very dangerous in emaildeny \.hta$ Possible Microsoft HTML archiveattack HTML archives are very dangerous in emaildeny \.ins$ Possible Microsoft Internet Comm. Settingsattack Windows Internet Settings are dangerous in emaildeny \.jse?$ Possible Microsoft JScriptattack JScript Scripts are dangerous in emaildeny \.job$ Possible Microsoft Task Schedulerattack Task Scheduler requests are dangerous in emaildeny \.lnk$ Possible Eudora *.lnk security holeattack Eudora *.lnk security hole attackdeny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcutattack Microsoft Access Shortcuts are dangerous in emaildeny \.pif$ Possible MS-Dos program shortcutattack Shortcuts to MS-Dos programs are very dangerous inemaildeny \.scf$ Possible Windows Explorer Commandattack Windows Explorer Commands are dangerous in emaildeny \.sct$ Possible Microsoft Windows Script Componentattack Windows Script Components are dangerous in emaildeny \.shb$ Possible document shortcutattack Shortcuts Into Documents are very dangerousin emaildeny \.shs$ Possible Shell Scrap Objectattack Shell Scrap Objects are very dangerous in emaildeny \.vb[es]$ Possible Microsoft Visual Basic scriptattack Visual Basic Scripts are dangerous in emaildeny \.ws[cfh]$ Possible Microsoft Windows Script Hostattack Windows Script Host files are dangerous in emaildeny \.xnk$ Possible Microsoft Exchange Shortcutattack Microsoft Exchange Shortcuts are dangerous in emaildeny \.cer$ Dangerous Security Certificate (according toMicrosoft)Dangerous attachment according to Microsoft Q883260deny \.its$ Dangerous Internet Document Set (according toMicrosoftDangerous attachment according to Microsoft Q883260deny \.mau$ Dangerous attachment type (according toMicrosoft) Dangerous attachment according to Microsoft Q883260deny \.md[az]$ Dangerous attachment type (according toMicrosoft) Dangerous attachment according to Microsoft Q883260deny \.prf$ Dangerous Outlook Profile Settings (according toMicrosoft) Dangerous attachment according toMicrosoft Q883260deny \.pst$ Dangerous Office Data File (according toMicrosoft) Dangerous attachment according to Microsoft Q883260deny \.tmp$ Dangerous Temporary File (according toMicrosoft) Dangerous attachment according to Microsoft Q883260deny \.vsmacros$ Dangerous Visual Studio Macros (according toMicrosoft)Dangerous attachment according to Microsoft Q883260deny \.vs[stw]$ Dangerous attachment type (according toMicrosoft) Dangerous attachment according to Microsoft Q883260deny \.ws$ Dangerous Windows Script (according toMicrosoft) Dangerous attachment according to Microsoft Q883260deny \.com$ Windows/DOSExecutable Executable DOS/Windowsprograms are dangerous in emaildeny \.exe$ Windows/DOSExecutable Executable DOS/Windowsprograms are dangerous in emaildeny \.scr$ Possible virus hidden in ascreensaver Windows Screensavers are often used to hidevirusesdeny \.bat$ Possible malicious batch filescript Batch files are often maliciousdeny \.cmd$ Possible malicious batch filescript Batch files are often maliciousdeny \.cpl$ Possible malicious control panelitem Control panel items are often used to hide virusesdeny \.mhtml$ Possible Eudora meta-refreshattack MHTML files can be used in an attack againstEudoradeny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its realtype Files containing CLSID's are trying to hide their real typedeny \s{10,} Filename contains lots of whitespace A long gap in a name is often used to hide part of itdeny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filenamehiding Attempt to hide real filename extension


--
shrek-m

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The Norwich University program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Tailor your education to your own professional goals with degreecustomizations including Emergency Management, Business Continuity Planning,Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: email attachement/extension block list Aastra Security Support (Jan 20)
- Re: email attachement/extension block list shrek-m () gmx de (Jan 23)
- Re: email attachement/extension block list Kurt Buff (Jan 24)
  - Re: email attachement/extension block list Micheal Espinola Jr (Jan 26)