Delayed Attachment Notification and Release
Background
In a recent report, enterprise anti virus vendor Sophos reported that approximately 96% of all email is spam. In that same report they also state
"The figures show an alarming rise in the proportion of spam emails sent with malicious attachments between July - September 2008, as well as an increase in spam attacks using social engineering techniques to snare unsuspecting computer users. "
All e-mail messages that pass through the University of
Denver's central mail servers are scanned for viruses. Because viruses
and worms passed through e-mail as executable attachments are typically
generated automatically and profusely by infected computers, e-mail
messages found to contain infected attachments are discarded.
Network security has identified a number of attachment types
that have, historically, been used to exploit computer operating system
and application vulnerabilities for which software vendors have been
slow to release patches. We have chosen to define these as
Potentially Malicious Attachments or PMAs.
Because criminals can take advantage of these vulnerabilities in a very short period from the moment they are identified, many institutions block the affected attachment types. The approach at DU is different.
Because we cannot automate the human capacity to accurately weigh all the factors in allowing messages through without the extra precautions, messages with PMAs destined for DU recipients are scanned by the mail server when initially received. If they are found to be clean, they are held for approximately 4 hours and rescanned. This delay is designed to allow anti virus vendors to detect new viruses, and to release new signatures to detect them. Four hours may not always be enough time to assure that an attachment is completely virus free, but it is enough for a significant number of cases.
However, this delay can often be disruptive. So, when
such a message, destined for a du.edu
address, is delayed, a notification will be sent to the recipient
within 30 minutes of being sidelined. The recipient may, after
reviewing the information in the notification,
choose to instruct the system to release the message before the four
hours have expired.
Here is an example of a notification.
Please note: Messages released by a request from the recipient are NOT rescanned by the mail server.
If you choose to release a message early it is important for you to realize that you are subjecting your data and your computer to an additional level of risk. If the released message results in loss of, or inadvertent disclosure of information on your computer, the responsibility for the subsequent clean-up, repair, and/or recovery of your damaged system rests with you.
The list of file types considered to be potentially unsafe is given below.
WARNINGS
Do not open any e-mail attachment unless you:
- Know the sender. Do not accept e-mail
"candy" from strangers.
- Confirm that the sender actually sent the attachment. Malicious messages may be disguised as coming from legitimate addresses. Do not open message attachments if you have any reason to suspect the authenticity of the message.
WORKAROUNDS
Please review the above warnings before opening any e-mail attachments.
People who need to transmit potentially malicious file types, may do so in several ways:
- Senders
can post the file on a website and tell recipients where they can
download it. (This is usually the most appropriate method for
distributing files to many recipients.)
- Senders can rename the file before attaching it and provide recipients with instructions for changing the file name back to its original value.
- Senders may encrypt the attachment or the message and
provide instructions to decrypt it upon receipt.
Important: These techniques are sometimes used by criminals in an attempt to spread malware. The recipient should still heed the WARNINGS given above AND have up-to-date anti virus software installed and working on their system.
POTENTIALLY MALICIOUS FILE TYPES
E-mail messages containing attachments with the following file types destined for DU e-mail addresses will be delayed when passing through the University of Denver's central mail servers. Because security risks can change rapidly, this list may be modified without notice.
The University of Denver's e-mail servers use the following rules to deal with these file types:
- Attachments of e-mails destined for du.edu addresses are scanned for viruses. If viruses are found, messages are discarded.
- If attachments contain no viruses, messages are sidelined for 4 hours and then scanned again. (The delay is intended to prevent viruses from being distributed before virus signatures are available.) If executable viruses are found in the second scan, messages are discarded. If no viruses are found in the second scan, the messages are passed on unchanged.
- The recipient will be notified of any new messages with
potentially malicious file
attachments that have been sidelined to be rescanned in the last half
hour.
The recipient may elect, when they receive that notification, to request that the message be released and delivered before the second scan. Such messages will not be rescanned by the mail server. The recipient must take additional measures to ensure the safety of their system and data.
Extension |
File type |
|
.ade |
Access Project Extension (Microsoft) |
|
.adp |
Access Project (Microsoft) |
|
.app |
Executable Application |
|
.asp |
Active Server Page |
|
.bas |
BASIC Source Code |
|
.bat |
Batch Processing |
|
.cer |
Internet Security Certificate File |
|
.chm |
Compiled HTML Help |
|
.cmd |
DOS CP/M Command File, Command File for Windows NT |
|
.com |
Command |
|
.cpl |
Windows Control Panel Extension (Microsoft) |
|
.crt |
Certificate File |
|
.csh |
csh Script |
|
.exe |
Executable File |
|
.fxp |
FoxPro Compiled Source (Microsoft) |
|
.hlp |
Windows Help File |
|
.hta |
Hypertext Application |
|
.inf |
Information or Setup File |
|
.ins |
IIS Internet Communications Settings (Microsoft) |
|
.isp |
IIS Internet Service Provider Settings (Microsoft) |
|
.its |
Internet Document Set, Internation Translation |
|
.js |
JavaScript Source Code |
|
.jse |
JScript Encoded Script File |
|
.ksh |
UNIX Shell Script |
|
.lnk |
Windows Shortcut File |
|
.mad |
Access Module Shortcut (Microsoft) |
|
.maf |
Access (Microsoft) |
|
.mag |
Access Diagram Shortcut (Microsoft) |
|
.mam |
Access Macro Shortcut (Microsoft) |
|
.maq |
Access Query Shortcut (Microsoft) |
|
.mar |
Access Report Shortcut (Microsoft) |
|
.mas |
Access Stored Procedures (Microsoft) |
|
.mat |
Access Table Shortcut (Microsoft) |
|
.mau |
Media Attachment Unit |
|
.mav |
Access View Shortcut (Microsoft) |
|
.maw |
Access Data Access Page (Microsoft) |
|
.mda |
Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) |
|
.mdb |
Access Application (Microsoft), MDB Access Database (Microsoft) |
|
.mde |
Access MDE Database File (Microsoft) |
|
.mdt |
Access Add-in Data (Microsoft) |
|
.mdw |
Access Workgroup Information (Microsoft) |
|
.mdz |
Access Wizard Template (Microsoft) |
|
.msc |
Microsoft Management Console Snap-in Control File (Microsoft) |
|
.msi |
Windows Installer File (Microsoft) |
|
.msp |
Windows Installer Patch |
|
.mst |
Windows SDK Setup Transform Script |
|
.ops |
Office Profile Settings File |
|
.pcd |
Visual Test (Microsoft) |
|
Portable Document Format (Adobe) |
||
.pif |
Windows Program Information File (Microsoft) |
|
| .pps | Power Point Slide Show (Microsoft) |
|
| .ppt | Power Point Document (Microsoft) |
|
.prf |
Windows System File |
|
.prg |
Program File |
|
.pst |
MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) |
|
| .rar | RAR archives |
|
.reg |
Registration Information/Key for W95/98, Registry Data File |
|
.scf |
Windows Explorer Command |
|
.scr |
Windows Screen Saver |
|
.sct |
Windows Script Component, Foxpro Screen (Microsoft) |
|
.shb |
Windows Shortcut into a Document |
|
.shs |
Shell Scrap Object File |
|
.tmp |
Temporary File/Folder |
|
.url |
Internet Location |
|
.vb |
VBScript File or Any VisualBasic Source |
|
.vbe |
VBScript Encoded Script File |
|
.vbs |
VBScript Script File, Visual Basic for Applications Script |
|
.vsmacros |
Visual Studio .NET Binary-based Macro Project (Microsoft) |
|
.vss |
Visio Stencil (Microsoft) |
|
.vst |
Visio Template (Microsoft) |
|
.vsw |
Visio Workspace File (Microsoft) |
|
.ws |
Windows Script File |
|
.wsc |
Windows Script Component |
|
.wsf |
Windows Script File |
|
.wsh |
Windows Script Host Settings File |
|
| .xls | Excel Document (Microsoft) |
|
| .zip | Zip Archive |
RELATED DOCUMENTS
