Home page logo
/

basics logo Security Basics mailing list archives

Re: email attachement/extension block list
From: "shrek-m () gmx de" <shrek-m () gmx de>
Date: Sat, 21 Jan 2006 11:17:37 +0100

Aastra Security Support wrote:

I am looking at updating our email security in regards to blocking
attachments. So I am looking for a good recommendation of email
attachments/extension to block.


i am not really up2ate with mailscanner-4.47.4-1 but take a look at the default filename rules
http:/mailscanner.info
http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml

Other extension like .doc and .zip are a business requirement, so for
now we will allow then but we will scan for virus.

$ grep ^allow /etc/MailScanner/filename.rules.conf
allow   \.jpg$                  -       -
allow   \.gif$                  -       -
allow   \.url$                  -       -
allow   \.vcf$                  -       -
allow   \.txt$                  -       -
allow   \.zip$                  -       -
allow   \.t?gz$                 -       -
allow   \.bz2$                  -       -
allow   \.Z$                    -       -
allow   \.rpm$                  -       -
allow   \.gpg$                  -       -
allow   \.pgp$                  -       -
allow   \.sit$                  -       -
allow   \.asc$                  -       -
allow   \.hqx$                  -       -
allow   \.sit.bin$              -       -
allow   \.sea$                  -       -
allow   (\.[a-z0-9]{3})\1$      -       -

Some of the basic blocks consist of Bat,
Cmd, Exe, Pif, Scr, Vbs, .Shs some of the blocks on the bubble are .Lnk
and .Url.

$ grep ^deny /etc/MailScanner/filename.rules.conf
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus deny happy99\.exe$ "Happy" virus "Happy" virus deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email deny \.cer$ Dangerous Security Certificate (according to Microsoft)Dangerous attachment according to Microsoft Q883260 deny \.its$ Dangerous Internet Document Set (according to MicrosoftDangerous attachment according to Microsoft Q883260 deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft)Dangerous attachment according to Microsoft Q883260 deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses deny \.bat$ Possible malicious batch file script Batch files are often malicious deny \.cmd$ Possible malicious batch file script Batch files are often malicious deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension

--
shrek-m

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]