|
|
|
| SLAC Home | Computing Home | Computing Outages | Help | |
Attachment Removal
- Why does SLAC Remove Attachments from E-mail?
SLAC's gateways scan e-mails for files which are executable or contain viruses, and when found, those files are stripped to protect SLAC's internal systems and users from malicious content. We had to start doing this because the virus/worm creators got clever enough to trick people into opening the attachments without really thinking about it. Also, sometimes we start getting infected attachments before the virus signature files have been updated. This file stripping has saved SLAC from infections on multiple occasions.
For SLAC users who need to share executable files please use the file systems (Windows or Unix) instead of e-mail.
In addition to the security reasons above, we need to try to restrict the unnecessary growth of your mailboxes due to attachments.
- How is it done?
After stripping the original attachment SLAC's e-mail system will then forward the original e-mail (with the content replaced with a text file) to the intended recipient so that they can evaluate whether they have a need to request the original content either from Mail-Admin, or from the original sender. We have found that only the intended recipient can determine whether the e-mail was legitimate, or was instead intended to be malicious.
If you request an attachment from Mail-Admin it will be scanned and if no infection is found or suspected it will then be placed in either the Unix or Windows file system, and you will be notified as to where to pick it up from.
- What is stripped?
You'll find several tables below with the various types of files we strip: file type; filename; subject. These lists could be somewhat out of date as we don't always remember to update this web page when updating the e-mail gateway rules.
| File type | Reason | Date Added |
| *.???.exe | The *.???.* style entries match against the "double extension" that some viruses use to trick users. | Before 2007 |
| *.???.lnk | The *.???.* style entries match against the "double extension" that some viruses use to trick users. | Before 2007 |
| *.???.pif | The *.???.* style entries match against the "double extension" that some viruses use to trick users. | Before 2007 |
| {* | ntsecurity.net warning | 05/02/02 |
| ade | Microsoft Level 1 "unsafe" | 08/06/01 |
| adp | Microsoft Level 1 "unsafe" | 08/06/01 |
| app | Microsoft Level 1 "unsafe" | 07/28/03 |
| bas | Microsoft Level 1 "unsafe" | 08/06/01 |
| bat | Microsoft Level 1 "unsafe" | 08/06/01 |
| chm | Microsoft Level 1 "unsafe" | 08/06/01 |
| cla | Before 2007 | |
| class | Before 2007 | |
| cmd | Microsoft Level 1 "unsafe" | 08/06/01 |
| com | Microsoft Level 1 "unsafe" | 08/06/01 |
| cpl | Microsoft Level 1 "unsafe" | 08/06/01 |
| crt | Microsoft Level 1 "unsafe" | 08/06/01 |
| csh | Microsoft Level 1 "unsafe" | 07/28/03 |
| dbp | Visual Studio exploit - no patch available | 03/06/06 |
| exe | Microsoft Level 1 "unsafe" | 08/06/01 |
| fxp | Microsoft Level 1 "unsafe" | 07/28/03 |
| hlp | Microsoft Level 1 "unsafe" | 08/06/01 |
| hta | Microsoft Level 1 "unsafe" | 08/06/01 |
| inf | Microsoft Level 1 "unsafe" | 08/06/01 |
| ins | Microsoft Level 1 "unsafe" | 08/06/01 |
| isp | Microsoft Level 1 "unsafe" | 08/06/01 |
| js | Microsoft Level 1 "unsafe" | 08/06/01 |
| jse | Microsoft Level 1 "unsafe" | 08/06/01 |
| ksh | Microsoft Level 1 "unsafe" | 07/28/03 |
| lnk | Microsoft Level 1 "unsafe" | 08/06/01 |
| mdb | Microsoft Level 1 "unsafe" | 08/06/01 |
| mde | Microsoft Level 1 "unsafe" | 08/06/01 |
| mdt | Microsoft Level 1 "unsafe" | 07/28/03 |
| mdw | Microsoft Level 1 "unsafe" | 07/28/03 |
| mid | SANS.org warning | 07/28/03 |
| msc | Microsoft Level 1 "unsafe" | 08/06/01 |
| msi | Microsoft Level 1 "unsafe" | 08/06/01 |
| msp | Microsoft Level 1 "unsafe" | 08/06/01 |
| mst | Microsoft Level 1 "unsafe" | 08/06/01 |
| nws | Badtrans worm | 11/25/01 |
| ocx | Before 2007 | |
| ops | Microsoft Level 1 "unsafe" | 07/28/03 |
| pcd | Microsoft Level 1 "unsafe" | 08/06/01 |
| pi | W32/Palyh virus | 05/21/03 |
| pif | Microsoft Level 1 "unsafe" | 08/06/01 |
| prg | Microsoft Level 1 "unsafe" | 07/28/03 |
| rar | Symantec AV buffer overflow | 12/21/05 |
| reg | Microsoft Level 1 "unsafe" | 08/06/01 |
| scr | Microsoft Level 1 "unsafe" | 08/06/01 |
| sct | Microsoft Level 1 "unsafe" | 08/06/01 |
| shb | Microsoft Level 1 "unsafe" | 08/06/01 |
| shs | Microsoft Level 1 "unsafe" | 08/06/01 |
| sln | Visual Studio exploit - no patch available | 03/06/06 |
| url | Microsoft Level 1 "unsafe" | 08/06/01 |
| vb | Microsoft Level 1 "unsafe" | 08/06/01 |
| vbe | Microsoft Level 1 "unsafe" | 08/06/01 |
| vbs | Microsoft Level 1 "unsafe" | 08/06/01 |
| wmf | WMF vulnerability - 6/10/09 Update: not stripping via Antigen for Exchange since Office 2007 uses lots of WMF files | 12/28/05 |
| wri | DOE CIRC Warning (RT #162237) | 02/27/09 |
| wsc | Microsoft Level 1 "unsafe" | 08/06/01 |
| wsf | Microsoft Level 1 "unsafe" | 08/06/01 |
| wsh | Microsoft Level 1 "unsafe" | 08/06/01 |
| Filename | Reason | Date Added |
| badass* | Badass worm | early 2001 |
| cokegift* | Joke.geschenk | early 2001 |
| garry.zip | Bagle worm | 7/21/04 |
| happynewyear.jpg | WMF vulnerability | 12/28/05 |
| message.zip | worm | 08/01/03 |
| monopoly* | Monopoly virus | early 2001 |
| photos.zip | Mimail worm | 11/03/03 |
| prettypark* | PrettyPark worm | early 2001 |
| readnow.zip | Mimail worm | 11/03/03 |
| ska.* | Happy99 worm | early 2001 |
| zipped_files* | ExporeZip worm | early 2001 |
| Subject | Reason | Date Added |
| BubbleBoy is back! | Bubbleboy virus | early 2001 |
| Choose Your Poison | Sonic worm | early 2001 |
| new photos from my party! | Myparty virus | 01/28/02 |
| Paid Survey Offer | CIAC warning | 03/15/01 |
| *you have an E-Card from* | Friendgreet worm | 10/28/02 |
Last Updated:
06/10/2009 |
||
|
Send Us Feedback |
||
|
Mail Admin Team |