Blocking Unsafe E-mail Attachments
Background
All e-mail messages that pass through the University of Denver's central mail servers are scanned for viruses. Because viruses and worms passed through e-mail as executable attachments are typically generated automatically and profusely by infected computers, e-mail messages found to contain infected executable attachments are discarded. Non-executable viruses, such as Word macro viruses, do not normally propagate automatically. Non-executable viruses found in mail messages are replaced by warnings before the messages are transmitted to the recipient.
Although this procedure protects against "known" viruses, it's not enough. Because new viruses, Trojan Horses, and other malware are frequently spread by "unsafe" and "risky" attachments to electronic mail, the University of Denver removes unsafe attachments from e-mail passing through its central mail servers and replaces them with messages indicating the unsafe attachments have been removed. In addition, delivery of messages containing risky attachments is delayed long enough to assure that the risky attachments do not contain new viruses. After the delay, these messages are rescanned for viruses.
Unsafe attachments may compromise the security or integrity of the recipient's computer when they are opened by Windows. For example, opening a file with a .exe extension causes it to be executed as a program. If you execute a malicious .exe file, you could damage your computer. The list of file types currently considered unsafe is given below.
Risky attachments may be used to distribute files that compromise the security or integrity of the recipient's computer, but they are not inherently unsafe themselves. For example, a .zip attachment may contain a file with a .exe extension. Although opening the .zip attachment does not execute the .exe program, malware is frequently distributed with instructions to unzip the .zip archive and run the program it contains. The list of file types considered risky is given below.
WARNINGS
Do not open any e-mail attachment unless you:
- Know the sender. Don't accept e-mail "candy" from strangers.
- Confirm that the sender actually sent the attachment. Malicious messages may be disguised as coming from legitimate addresses. Do not open message attachments if you have any reason to suspect the authenticity of the message.
Workarounds
Please review the above warnings before opening any e-mail attachments.
People who need to transmit blocked file types, may do so in several ways:
- Senders can post the file on a website and tell recipients where they can download it. (This is usually the most appropriate method for distributing files to many recipients.)
- Senders can rename the file before attaching it and provide recipients with instructions for changing the file name back to its original value.
Unsafe File Types
Attachments containing the following unsafe file types will be removed from e-mail messages passing through the University of Denver's central mail servers. Currently, this is the same list of attachments that Microsoft blocks with its Outlook 2003 mail client. Because security risks can change rapidly, this list may be modified without notice.
Extension |
File type |
.ade |
Access Project Extension (Microsoft) |
.adp |
Access Project (Microsoft) |
.app |
Executable Application |
.asp |
Active Server Page |
.bas |
BASIC Source Code |
.bat |
Batch Processing |
.cer |
Internet Security Certificate File |
.chm |
Compiled HTML Help |
.cmd |
DOS CP/M Command File, Command File for Windows NT |
.com |
Command |
.cpl |
Windows Control Panel Extension (Microsoft) |
.crt |
Certificate File |
.csh |
csh Script |
.exe |
Executable File |
.fxp |
FoxPro Compiled Source (Microsoft) |
.hlp |
Windows Help File |
.hta |
Hypertext Application |
.inf |
Information or Setup File |
.ins |
IIS Internet Communications Settings (Microsoft) |
.isp |
IIS Internet Service Provider Settings (Microsoft) |
.its |
Internet Document Set, Internation Translation |
.js |
JavaScript Source Code |
.jse |
JScript Encoded Script File |
.ksh |
UNIX Shell Script |
.lnk |
Windows Shortcut File |
.mad |
Access Module Shortcut (Microsoft) |
.maf |
Access (Microsoft) |
.mag |
Access Diagram Shortcut (Microsoft) |
.mam |
Access Macro Shortcut (Microsoft) |
.maq |
Access Query Shortcut (Microsoft) |
.mar |
Access Report Shortcut (Microsoft) |
.mas |
Access Stored Procedures (Microsoft) |
.mat |
Access Table Shortcut (Microsoft) |
.mau |
Media Attachment Unit |
.mav |
Access View Shortcut (Microsoft) |
.maw |
Access Data Access Page (Microsoft) |
.mda |
Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) |
.mdb |
Access Application (Microsoft), MDB Access Database (Microsoft) |
.mde |
Access MDE Database File (Microsoft) |
.mdt |
Access Add-in Data (Microsoft) |
.mdw |
Access Workgroup Information (Microsoft) |
.mdz |
Access Wizard Template (Microsoft) |
.msc |
Microsoft Management Console Snap-in Control File (Microsoft) |
.msi |
Windows Installer File (Microsoft) |
.msp |
Windows Installer Patch |
.mst |
Windows SDK Setup Transform Script |
.ops |
Office Profile Settings File |
.pcd |
Visual Test (Microsoft) |
.pif |
Windows Program Information File (Microsoft) |
.prf |
Windows System File |
.prg |
Program File |
.pst |
MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) |
.reg |
Registration Information/Key for W95/98, Registry Data File |
.scf |
Windows Explorer Command |
.scr |
Windows Screen Saver |
.sct |
Windows Script Component, Foxpro Screen (Microsoft) |
.shb |
Windows Shortcut into a Document |
.shs |
Shell Scrap Object File |
.tmp |
Temporary File/Folder |
.url |
Internet Location |
.vb |
VBScript File or Any VisualBasic Source |
.vbe |
VBScript Encoded Script File |
.vbs |
VBScript Script File, Visual Basic for Applications Script |
.vsmacros |
Visual Studio .NET Binary-based Macro Project (Microsoft) |
.vss |
Visio Stencil (Microsoft) |
.vst |
Visio Template (Microsoft) |
.vsw |
Visio Workspace File (Microsoft) |
.ws |
Windows Script File |
.wsc |
Windows Script Component |
.wsf |
Windows Script File |
.wsh |
Windows Script Host Settings File |
Risky File Types
File types designed for compessing and archiving are risky because they can be used to distribute unsafe file types. For example, a message distributed with a .zip attachment might contain instructions for extracting a .exe file from the .zip archive and executing it. Often enough people are fooled by such instructions to make this an effective way to distribute computer viruses and other malware.
Currently, the following file types are considered risky:
Extension |
File type |
.rar |
RAR archives |
.zip |
Zip archives |
The University of Denver's e-mail servers use the following rules to deal with risky file types:
- Encrypted attachments are removed and replaced by a warning message. (Encrypting risky attachments is sometimes used to prevent messages from being scanned for viruses.)
- Unencrypted attachments are scanned for viruses. If executable viruses are found, messages are discarded. Otherwise offending attachments are removed and replaced by a warning message.
- If attachments contain no viruses, messages are sidelined for 4 hours and then scanned again. (The delay is intended to prevent viruses from being distributed before virus signatures are available.) If executable viruses are found in the second scan, messages are discarded. Otherwise, offending attachments are removed and replaced by warning messages. If no viruses are found in the second scan, the messages are passed on unchanged.
Related Documents