Quantcast

OT? - Blocking attachments

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OT? - Blocking attachments

John Allen

This may not be a Postfix problem, but bearing in mind the recent events this forum may have some good ideas.

After the recent rasomeware attacks we are considering the idea of blocking all attachments.  I am not sure of the best way of doing this, but several ideas have been put forward:

  1. block all email with attachments - a little too drastic for some as there are legit reasons for attachments.
    block all email that is in any format that can hide executable code.
  2. rename attachments so that they will not/cannot be executed/run by just opening them.
  3. only allow email with attachments from a preauthorized list of senders. I am not sure that this would be effective as sender addresses are (i believe) easily spoofed.
  4. email with attachments are diverted to a recipient for examination. If cleared they could then be forwarded to the original addressee. At lot of work for someone.
  5. a variation on 2. sender has to asks the recipient for permission to send attachment. Recipient then adds sender to list, recipient will be automagically removed from list after a period of time.


I am not keen on any of these. But as I have to come up with a recommendation I think I would go with 1. If you want to send us something then put it in "drop box" and tell us about it. My second choice would be 5 + 2.

Another idea is to attachments are diverted and held for a period. After which they would be automatically be sent on as "normal". If there is something going on then the automatic forwarding would be suspended.

Are any of these do-able and if so where can I find suggestions on how to implement.

JohnA



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OT? - Blocking attachments

Michael Ströder
john wrote:
>  1. block all email with attachments - a little too drastic for some as there are legit
>     reasons for attachments.
>     block all email that is in any format that can hide executable code.

IMO this won't work.

> 2. rename attachments so that they will not/cannot be executed/run by just opening
>    them.

MIME type sniffing implemented in file viewers?

> 3. only allow email with attachments from a preauthorized list of senders. I am not
>    sure that this would be effective as sender addresses are (i believe) easily
>    spoofed.

Spammers use people's address books and even reuse message found in the "Sent" folder.

> 4. email with attachments are diverted to a recipient for examination. If cleared
>    they could then be forwarded to the original addressee. At lot of work for someone.

The most promising solution but huge amount of work if done right.

> 5. a variation on 2. sender has to asks the recipient for permission to send
>    attachment. Recipient then adds sender to list, recipient will be automagically
>    removed from list after a period of time.

I can't imagine how this should work. Some of my customers have security guidelines with
which they try to enforce to use a out-of-band file sharing service. Most times this is
pretty cumbersome and error-prone.

A variant of 4. could be to put messages with attachments in a sandboxed mailbox and only
provide hardened web access to the message where the user can approve the message. Well,
depending on your user base 99% of them just hit [OK]. In a known emergence case you
could disabling approving messages completely though.

> I am not keen on any of these.

I think we all agree that any of such strategies will open a can of worms and might even
not be feasible at all.

> Another idea is to attachments are diverted and held for a period. After which they
> would be automatically be sent on as "normal". If there is something going on then
> the automatic forwarding would be suspended.

Also keep in mind that some people might digitally sign e-mails including attachments. So
you have to keep message signature intact.

Ciao, Michael.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OT? - Blocking attachments

Kevin A. McGrail
In reply to this post by John Allen
On 5/14/2017 7:22 AM, john wrote:
>
> This may not be a Postfix problem, but bearing in mind the recent
> events this forum may have some good ideas.
>
> After the recent rasomeware attacks we are considering the idea of
> blocking all attachments.  I am not sure of the best way of doing
> this, but several ideas have been put forward:
>
I am a consistent fan of milter logic, especially MIMEDefang to solve
these issues.  It allows you the logic of perl combined with Postfix
where you can use a variety of solutions that fit the issue:  regex to
block, database connections for allowed senders, system calls to av
software, attachment renaming, attachment removal/quarantine, etc.

Though realize that the Windows Defender Bug last week or so was a big
deal because all you had to do is receive the file.  The scanner then
scanned the specially crafted file and bam: You were compromised without
even opening the email.  So that throws a wrench in some of your scenarios.

Anyway, I suggest if you are interested, take a look at mimedefang and
join the mimedefang mailing list.  The bad_filename would be the first
concept to look at and I'm typically happy to share my tricks open
source.  Just inappropes to keep bombarding postfix list with
non-postfix stuff though I agree it's on the fringe.

Regards,
KAM
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OT? - Blocking attachments

Bastian Blank-3
In reply to this post by John Allen
On Sun, May 14, 2017 at 07:22:14AM -0400, john wrote:
> This may not be a Postfix problem, but bearing in mind the recent
> events this forum may have some good ideas.

No, it isn't.

> After the recent rasomeware attacks we are considering the idea of
> blocking all attachments.  I am not sure of the best way of doing
> this, but several ideas have been put forward:

The first question would be: why do you have systems that can run
Windows PE binaries?

> 1. block all email with attachments - a little too drastic for some as
>    there are legit reasons for attachments.
>    block all email that is in any format that can hide executable code.

What is an attachment?  There is no real difference between this text
and an image in how it is transported.

> 2. rename attachments so that they will not/cannot be executed/run by
>    just opening them.

Opening does not execute something.  Apart from Windows you need to set
some executable permission.

Bastian

--
A little suffering is good for the soul.
                -- Kirk, "The Corbomite Maneuver", stardate 1514.0
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OT? - Blocking attachments

Bill Cole-3
In reply to this post by Kevin A. McGrail
On 14 May 2017, at 7:43, Kevin A. McGrail wrote:

> On 5/14/2017 7:22 AM, john wrote:
>>
>> This may not be a Postfix problem, but bearing in mind the recent
>> events this forum may have some good ideas.
>>
>> After the recent rasomeware attacks we are considering the idea of
>> blocking all attachments.  I am not sure of the best way of doing
>> this, but several ideas have been put forward:
>>
> I am a consistent fan of milter logic, especially MIMEDefang to solve
> these issues.

+1

If you want versatile, nuanced, precise, and accurate attachment
handling, there is no better tool than MIMEDefang.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OT? - Blocking attachments

Viktor Dukhovni

> On May 15, 2017, at 12:26 AM, Bill Cole <[hidden email]> wrote:
>
> If you want versatile, nuanced, precise, and accurate attachment handling, there is no
> better tool than MIMEDefang.

The MIME normalizer I wrote in my early days as Morgan Stanley postmaster, just before
Y2K New Years, was tasked with removing most "attachments" from email, attachments were
replaced with a bit of text informing the user what was removed.  (Never released to
the public).

It later evolved to be able to selectively remove Zip files from email based on the
content inside the Zip file and the profile of the recipient.  Preemptive removal
of high-risk content that most users have no reason to receive is a fine defensive
strategy.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OT? - Blocking attachments

Paolo Barbato
+1
On 15 May 2017, at 06:32, Viktor Dukhovni <[hidden email]> wrote:


On May 15, 2017, at 12:26 AM, Bill Cole <[hidden email]> wrote:

If you want versatile, nuanced, precise, and accurate attachment handling, there is no
better tool than MIMEDefang.

The MIME normalizer I wrote in my early days as Morgan Stanley postmaster, just before
Y2K New Years, was tasked with removing most "attachments" from email, attachments were
replaced with a bit of text informing the user what was removed.  (Never released to
the public).

It later evolved to be able to selectively remove Zip files from email based on the
content inside the Zip file and the profile of the recipient.  Preemptive removal
of high-risk content that most users have no reason to receive is a fine defensive
strategy.

--
Viktor.


------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
corso Stati Uniti,4                                  
35127 Padova - Italy                                       
Network Administrator 
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

Loading...