Why Aren't Executable Attachments Blocked By Mail Servers?

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

Why Aren't Executable Attachments Blocked By Mail Servers?

Postposted on Mon Jun 09, 2014 9:40 am

Considering that a very large percentage of malware is still spread via email attachment, why are executable files still allowed to be sent freely through today's mail servers? It makes no sense to me. Probably 99.999998% of sent executable attachments are malicious, and I'm sure the few users who need to legitimately send executables are smart enough to be able to use a container format such as .zip.

Of course forcing executables to be put into a container format will not do away with ALL malware via email attachment, but by creating an extra step before infection, you'd be looking at a SIGNIFICANT reduction.

Can someone with more knowledge than myself explain why this hasn't been done?
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 440
Joined: Sun Apr 06, 2008 4:46 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 10:15 am

The client application is the one executing it, not the server. Servers, however, should have some form of pre-virus scan. Google and Yahoo do this. M$ Exchange has ways of doing it, or so I'm told. However, AV is becoming less effective against emerging threats because of modern techniques used by nay-doers. It will only save you from an extablished, known trojan/virus with a defined signature.

Another issue is embedded malicious JPG files, and the like, could be loaded by default and could take advantage of a vulnerability. Google now caches these, but for their own monitoring/tracking reasons. However, it does have the benefit of saving people from some deep-linked embedded files.

DOD and NIST have guidelines to prevent things like this by locking down the client. The NIST guide isn't as "go forth and do" as the STIG, so here you go.
http://iase.disa.mil/stigs/app_security ... _auto.html

EDIT: I thought I'd include this for you to look at, too. Good security stuff here. SCAP is a time saver for auditing for configuration weakness like you are asking about.
http://web.nvd.nist.gov/view/ncp/repository
Losergamer04
Gerbil First Class
 
Posts: 178
Joined: Fri Jan 30, 2009 8:01 am

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 10:23 am

Blocking based on attachment type can be done, and it is done quite frequently. However, people whine about the server being broken when they can't send random junk via email.

In short, people are morons, and they can't be bothered to do things correctly.
Flatland_Spider
Gerbil Elite
 
Posts: 832
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 10:24 am

Losergamer04 wrote:The client application is the one executing it, not the server. Servers, however, should have some form of pre-virus scan. Google and Yahoo do this. M$ Exchange has ways of doing it, or so I'm told. However, AV is becoming less effective against emerging threats because of modern techniques used by nay-doers. It will only save you from an extablished, known trojan/virus with a defined signature.

I'm not talking about a virus scan, I'm talking about mail servers simply bouncing any message shown to have a raw executable file attached. Webmail apps and standalone clients such as Outlook/Thunderbird could also very easily be made to reject raw executable attachments from being added.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 440
Joined: Sun Apr 06, 2008 4:46 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 10:50 am

Flatland_Spider wrote:Blocking based on attachment type can be done, and it is done quite frequently. However, people whine about the server being broken when they can't send random junk via email.

In short, people are morons, and they can't be bothered to do things correctly.

What he said.

I've soon leaving a gig where among other things I managed e-mail accounts for 100+ domains, some 1500 e-mail accounts total.

Best that can be done without complaints is a limit on file size, and that's it. The servers obviously have an integrated virus scanner, but outright banning executable files would immediately make my phone ring.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9955
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 11:00 am

So far I've worked at a few corporate institutions. All of them blocked executable attachments. I believe all of them used some features built into Exchange.

I would be able to attach executables to mails no problem. But when I hit send they get blocked by the filters and never get delivered. The system is smart enough to even scan within zip files and reject delivery when it finds executables.
LASR
Gerbil
 
Posts: 58
Joined: Fri Jan 10, 2014 9:35 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 12:09 pm

The Egg wrote:Considering that a very large percentage of malware is still spread via email attachment
Do you have any data to back that statement? Because while I might have agreed with you 10 or 15 years ago, I'd be surprised if that was true today -- precisely because of the measures described in this thread, and because other techniques have emerged (drive-by downloads on websites, sites that try to convince the user to "update" Java or the video codec or the browser itself, etc). Email is just not as important a conduit (for anything, really) as it used to be, and increasingly people are reading their email from devices that couldn't run an x86 executable even if they got one.
UberGerbil
Gerbil Khan
 
Posts: 9976
Joined: Thu Jun 19, 2003 3:11 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 12:41 pm

UberGerbil wrote:
The Egg wrote:Considering that a very large percentage of malware is still spread via email attachment
Do you have any data to back that statement? Because while I might have agreed with you 10 or 15 years ago, I'd be surprised if that was true today -- precisely because of the measures described in this thread, and because other techniques have emerged (drive-by downloads on websites, sites that try to convince the user to "update" Java or the video codec or the browser itself, etc). Email is just not as important a conduit (for anything, really) as it used to be, and increasingly people are reading their email from devices that couldn't run an x86 executable even if they got one.

Off the top of my head, no (nor am I in a position to look it up right now), but I'm sure it's still a significant number which translates to millions (or even billions) in damage from botnets, IT costs, etc.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 440
Joined: Sun Apr 06, 2008 4:46 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 12:49 pm

However, people whine about the server being broken when they can't send random junk via email.

In short, people are morons, and they can't be bothered to do things correctly.


This x 1000

In any large organization non-technical people have the final say and you can only route around them so much.

To be honest, in my world docs and pdfs are not much safer than exes, there is a nice database that gives 4 digit numbers that recycle every year just to track all the problems.

Forcing plain text email and stripping all attachments would be best practice, combined with a managed & monitored portal for file transfers. (in and out) Very very very few places do this at all, let alone correctly.
blah blah blah signature blah blah blah
Bauxite
Gerbil Elite
 
Posts: 609
Joined: Sat Jan 28, 2006 12:10 pm
Location: electrolytic redox smelting plant

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 1:19 pm

UberGerbil wrote:
The Egg wrote:Considering that a very large percentage of malware is still spread via email attachment
Do you have any data to back that statement? Because while I might have agreed with you 10 or 15 years ago, I'd be surprised if that was true today -- precisely because of the measures described in this thread, and because other techniques have emerged (drive-by downloads on websites, sites that try to convince the user to "update" Java or the video codec or the browser itself, etc). Email is just not as important a conduit (for anything, really) as it used to be, and increasingly people are reading their email from devices that couldn't run an x86 executable even if they got one.


Today I think that the number by email is being overtaken by Facebook links.

But there are many things you can filter and the types it comes in never ends changing.
Older but still out there sources in email that are not so obvious:
Screen Savers .scr
MS Office docs .xls, .doc etc...
PDF documents

I've seen them all go through our mail server that have been viral or malware.
Arvald
Gerbil XP
Silver subscriber
 
 
Posts: 353
Joined: Tue Sep 27, 2011 12:14 pm
Location: Gerbil-land, Canada

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 2:00 pm

Arvald wrote:Today I think that the number by email is being overtaken by Facebook links.


To that I say use NoScript and have prompt-to-run addon or configuration on your browsers. It's how I roll at home. It blocks a lot of "bad things." My wife's computer dropped about 10% CPU load after I got on her case to use it correctly.

Back on topic, the CLIENT side is where the problem lies. Secure the application and educate the users. The second step is more difficult but can be done effectively with enough planning.
Losergamer04
Gerbil First Class
 
Posts: 178
Joined: Fri Jan 30, 2009 8:01 am

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 4:46 pm

It's the, half wit, completely promiscuous nature of M$'s little joke, they call an OS, that is your problem.
Fuji X-E1 Leica Elmar 135 4 XF60mm 2.4 Macro | Zeiss FE 35mm 2.8
http://carnagepro.com
"Everything ... they eat everything, and fear is their bacon bits."
PenGun
Gerbil Elite
 
Posts: 791
Joined: Fri Jun 18, 2004 1:48 pm
Location: BC Canada

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 6:15 pm

*sigh*
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9955
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 6:56 pm

Is this yet another "I don't find something useful, therefore noone else on the planet Earth should be ever allowed to use that "something" for any practical purpose" thread? :lol:
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1881
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 6:57 pm

I find it mildly annoying having to rename files to .ass whenever exe files fail to transfer.
odizzido
Gerbil
 
Posts: 59
Joined: Fri May 06, 2005 6:10 am

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 7:00 pm

odizzido wrote:I find it mildly annoying having to rename files to .ass whenever exe files fail to transfer.

In my state gov't world .old works every time assuming the size limit isn't busted.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20220
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 7:43 pm

I think many of you are missing the point. Yes, there are other ways to get malware. Yes, you could take it to the extreme and block everything. No, it wouldn't be foolproof or protect against everything. But it would be very easy to implement, cost virtually nothing, and would be very effective (against this particular malware distribution method). It would also have very little effect on legitimate use.

For instance, even if you were able to get around the filter by renaming to .old or .ass, those aren't filetypes which can be easily/accidentally executed by granny or your average idiot coworker. And that's the point. Those who are smart enough to have any business sending executables will be smart enough to get around it, and those who aren't would be more protected from themselves.

So what's the downside? I would like to see statistics from a large mailserver showing the total number of raw executable files passing through, and then the percentage of those containing malware. It would be so high it's stupid.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 440
Joined: Sun Apr 06, 2008 4:46 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 7:48 pm

We actively block many types of files either through a spam filter or through the Exchange server. If someone needs to send or receive an EXE file, TS go cry to your mamma. In many cases we block zips, pdfs, rar files etc. Once a company gets hit with something like Cryptowall or Cryptolocker they're much more open to locking stuff down.
JMTR
Gerbil
 
Posts: 26
Joined: Thu Jan 01, 2009 3:18 pm
Location: Maryland, USA

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 7:54 pm

The Egg wrote:I think many of you are missing the point.

Actually it's only you who are missing the point.

The Egg wrote:I would like to see statistics from a large mailserver

The statistics are irrelevant. If the few people find it useful to share executables though e-mail, they should be allowed to freely do so by default while using public mail servers, without any retarded file extension changes. If you (or someone else) are afraid of getting infected through that method - you (and others) already have a HUGE variety of ways to prevent that. From setting up appropriate permissions on private (business) mail server to doing the same with particular user's mail client or antimalware program.
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1881
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 8:10 pm

JohnC wrote:
The Egg wrote:I think many of you are missing the point.

Actually it's only you who are missing the point.

The Egg wrote:I would like to see statistics from a large mailserver

The statistics are irrelevant. If the few people find it useful to share executables though e-mail, they should be allowed to freely do so by default, without any retarded file extension changes. If you (or someone else) are afraid of getting infected through that method - you (and others) already have a HUGE variety of ways to prevent that. From setting up appropriate permissions on private (business) mail server to doing the same with particular user's mail client or antimalware program.


They're not irrelevant, and it's not myself I'm trying to protect. You've got hundreds of thousands, if not millions of users becoming infected with malware from email attachments each year. Again, it's not the only method, but they still cost small companies and large corporations likely on the scale of billions. We all in turn pay higher prices, when said corporations raise prices to cover the costs. That's not to mention personal hours lost, granny's picture collection irretrievably lost, and loss of bandwidth due to botnets. All of this because a wee-tiny percentage of people can't be bothered to put their nonsense executable files in a container format.

Yes, I believe raw executable files should be straight-up banned for the greater good.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 440
Joined: Sun Apr 06, 2008 4:46 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 8:38 pm

The Egg wrote:I would like to see statistics from a large mailserver showing the total number of raw executable files passing through, and then the percentage of those containing malware. It would be so high it's stupid.

It is not as high as you think.
Ours is a mid size (under 500 users).
The stats I remember is that 0.1% of the traffic is legit, the rest is flagged as spam, we don't deliver 99% of that. The remaining 1% spam goes to an appliance (gotta love the Barracuda) that users have to active retrieve any flagged messages that were incorrectly flagged.
Since our mail server handles over 10,000 emails a day do the math on the amount of garbage going around.

Now of those very few have attachments other than images.

The largest problem is not the attachments but the embedded links and clickable images that take you to malware serving sites.

We have 2 layers of protection on email and 5 layers on web browsing and the occaisional threat still makes it to the desktop.
Usually these last threats are stopped by the company internet security software.

This has cost us hundreds of thousands of dollars over the years to keeps our systems clean. (appliances and software licensing) and we are not even that large a company.
Arvald
Gerbil XP
Silver subscriber
 
 
Posts: 353
Joined: Tue Sep 27, 2011 12:14 pm
Location: Gerbil-land, Canada

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 8:45 pm

JMTR wrote:We actively block many types of files either through a spam filter or through the Exchange server. If someone needs to send or receive an EXE file, TS go cry to your mamma. In many cases we block zips, pdfs, rar files etc. Once a company gets hit with something like Cryptowall or Cryptolocker they're much more open to locking stuff down.


There is the old trick of renaming a zip file to *._ip or *zi_, or renaming an exe to *.ex_, then sending it as normal. Rename on the other end and you've effectively bypassed the simplest email clients/servers. I'm sure by now there are tools that can ignore the name or file associations and just look at the contents of a file and not attach based on "this is obviously a ZIP file" or "this is obviously an executable" or some such heuristics...but I don't know how many actually employ such a tool.

Cryptolocker is a bad bad bad one, however; and when a company gets hit by that, chances are that they'll come down hard on their own end-users. No administrator accounts and no attachments. A new age is dawning.
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1550
Joined: Tue May 25, 2004 7:41 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 8:57 pm

As someone who runs a mail server for an ISP (Postfix+Amavis+SA+Clam), I can say that yes, executable filtering is one of the first things we do in the filtering process. The tricky thing is defining what exactly an executable is. The executable bit is a filesystem flag/attribute, something that gets set when the attachment is saved from the email, not an attribute of the data in the attachment. So you have to look at file extensions, mime types, and you can even look for headers of PE binaries or common scripting headers. And if you get too zealous, it can filter stuff that you might want to pass through. For instance, you typically want to filter *.dat files, but Office XML files are zip files (you want to unpack the zips to check their contents) that contain .dat files. All in all, it's a tricky business.
yokem55
Gerbil
Silver subscriber
 
 
Posts: 40
Joined: Sun Feb 03, 2002 7:00 pm

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 9:17 pm

yokemm55 is right. it's a difficult to do. But, like I said, they are not doing it for the server's benefit (there are other secuity measures for that). They are doing it for the few idiots out there. He also mentioned that exe does is not the only executable type, and he's right. What makes it executable is dependent on the client OS and applicaion.
The Egg wrote:Of course forcing executables to be put into a container format will not do away with ALL malware via email attachment, but by creating an extra step before infection, you'd be looking at a SIGNIFICANT reduction.

Can someone with more knowledge than myself explain why this hasn't been done?

But why are .exe files still allowed? In my case, I'm a Linux guy and exe just doesn't matter to me. Or perhaps it's just not a common enough attack vector these days and it's more of a hinderance than a help. It's really up to the provider and how much of a risk it is for them to allow it.... or they just are too much of a noob to know any better. Egg, is there a big-name company that you are seeing this?
Losergamer04
Gerbil First Class
 
Posts: 178
Joined: Fri Jan 30, 2009 8:01 am

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Mon Jun 09, 2014 9:19 pm

Many corporate e-mail servers *do* block EXEs and other potentially malicious attachments.

As far as public ISPs go, I suppose I'd be OK with filtering being enabled by default provided the sender and recipient both receive a notification that the e-mail has been blocked. But in general, the Internet is supposed to be a mechanism for moving bits from point A to point B; it isn't supposed to filter things behind your back.

@PenGun - People would probably take you more seriously if you gave up on the tired old "M$" meme. It was moderately amusing (for all of about 5 minutes) when it was new, which was probably somewhere 'round about a decade and a half ago. :roll:
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37677
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Tue Jun 10, 2014 12:31 am

just brew it! wrote:@PenGun - People would probably take you more seriously if you gave up on the tired old "M$" meme. It was moderately amusing (for all of about 5 minutes) when it was new, which was probably somewhere 'round about a decade and a half ago. :roll:

Besides, if a user is dumb enough to click on anything, then social engineering (still by far the most popular attack vector, more than the OP's 99.99whatever% are EXE attachments claim) can still be used to dupe such user to a phishing site and give up all his/her info willingly - regardless of any OS. joke or no joke.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24382
Joined: Mon May 24, 2004 2:19 am

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Tue Jun 10, 2014 8:51 am

just brew it! wrote:Many corporate e-mail servers *do* block EXEs and other potentially malicious attachments.

Ours blocks EXEs, et cetera and sees through many of the tricks that you use like renaming the files by testing the file for executable code.
Arvald
Gerbil XP
Silver subscriber
 
 
Posts: 353
Joined: Tue Sep 27, 2011 12:14 pm
Location: Gerbil-land, Canada

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Tue Jun 10, 2014 10:22 am

BIF wrote:
JMTR wrote:We actively block many types of files either through a spam filter or through the Exchange server. If someone needs to send or receive an EXE file, TS go cry to your mamma. In many cases we block zips, pdfs, rar files etc. Once a company gets hit with something like Cryptowall or Cryptolocker they're much more open to locking stuff down.


There is the old trick of renaming a zip file to *._ip or *zi_, or renaming an exe to *.ex_, then sending it as normal. Rename on the other end and you've effectively bypassed the simplest email clients/servers. I'm sure by now there are tools that can ignore the name or file associations and just look at the contents of a file and not attach based on "this is obviously a ZIP file" or "this is obviously an executable" or some such heuristics...but I don't know how many actually employ such a tool.

Cryptolocker is a bad bad bad one, however; and when a company gets hit by that, chances are that they'll come down hard on their own end-users. No administrator accounts and no attachments. A new age is dawning.


We had a user get hit by Cryptolocker, or something like it. Fortunately he knew enough to cut power once it started. It still got a lot of the files on his local HDD and started on his mapped network drive. We were able to recover all the network files back by rolling them back to the previous versions, but his local data was gone.
cphite
Gerbil Elite
 
Posts: 556
Joined: Thu Apr 29, 2010 9:28 am

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Tue Jun 10, 2014 2:29 pm

Because mail is fundamentally a Unix thing and *nixes don't care much what you mail. They don't need to.
Fuji X-E1 Leica Elmar 135 4 XF60mm 2.4 Macro | Zeiss FE 35mm 2.8
http://carnagepro.com
"Everything ... they eat everything, and fear is their bacon bits."
PenGun
Gerbil Elite
 
Posts: 791
Joined: Fri Jun 18, 2004 1:48 pm
Location: BC Canada

Re: Why Aren't Executable Attachments Blocked By Mail Server

Postposted on Tue Jun 10, 2014 3:50 pm

PenGun wrote:Because mail is fundamentally a Unix thing and *nixes don't care much what you mail. They don't need to.


Which, for those of us that deal with Security, unauthorized disclosure, etc. causes a serious problem. We need systems that care because users don't. Unix is no pancea in that case!
mattshwink
Gerbil
 
Posts: 84
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Next

Return to General Software

Who is online

Users browsing this forum: No registered users and 1 guest