Email attachment filter – better than file extention.
Does anyone know if there is some way to filter email attachements on a server that are a little harder to get past than simply renaming the file extention? I have people that rename file.exe to file.bob and my filter does not block this file. I know you can scan attachments for viruses in attachments, but I want to know if there is a way to have the server further investigate the file to find the extention. Any ideas?
Software/Hardware used:
Software/Hardware used:
ASKED:
June 29, 2006 11:55 PM
UPDATED:
July 4, 2006 3:46 AM
RELATED QUESTIONS
- Sending email with attachment in CSV format using SNDDST
- SAP Business One - Attaching a file without the file being copied to the "Attachment" file.
- File server to Windows Server 2008 cluster
- Send email w/attachment from Command Prompt via batch file
- Feedback/advice on MS Exchange 2003 issues. System Mgmt is fooling us?
Answer Wiki:
GFI Mail Security does a good job of this. It allows for the administrator to approve the email before the client sees it.
To see all answers submitted to the Answer Wiki: View Answer History.
Hi skepticals,
You didn’t provide any information about the mail server you are using, so it’s impossible to provide any “ready for use” sollutions, but just some ideas/hacks.
E.g., if you are using sendmail + procmail on Unix/Linux, you can put a recipe in the system-wide procmairc which will extract attachments with non-executable extensions and test them (using “file” command – it doesn’t rely on extension). This will put additional load on the server, so it’s not a good idea to use this hack on a busy mailserver.
BR and good luck,
Petko
This is just an idea, look for some software that uses fingerprints.
Sorry if I didn’t make myself clear. I amlooking for any type of server/software that can filter more in depth than the file extension. Anyone know of anything?
Unix systems generally include a tool named “file” which identifies the file type of the given file by inspecting the contents for unique identifiers. These identifiers are known as “magic numbers”. Its output looks like this:
andrew@sauron:~$ file hiddenexe
hiddenexe: PE executable for MS Windows (GUI) Intel 80386 32-bit, RAR self-extracting archive
andrew@sauron:~$ file justtext
justtext: ASCII English text
andrew@sauron:~$ file pythonscript
pythonscript: a /usr/bin/python script text executable
You can obtain a package of GNU Unix utilities compiled for Windows from http://gnuwin32.sourceforge.net/ which includes “file”. A mail filter which uses file is XamimeLT:
http://pldaniels.com/xamimelt/
CipherTrust’s IronMail does a pretty good job at looking at multiple extensions as well as renamed files. We have two in a load balanced scendario for SPAM, AV, quarantine, etc…
Sunbelt messaging Ninja has exactly the feature u r looking for.
http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm
We are also using GFi Mailsecurity; it inspects the attachments to see what they are. Renaming the file won’t fool the system. It will even extract compressed files (e.g. ZIP) to check the files inside the ZIP. Once it has detected what kind of file it is, you can define policies to determine what to do with it (remove from mail/remove entire mail/manually admin approve/etc.)