Enhancing E-Mail Security With Procmail


Back to the home page
Traducción española por Julio Calvo <juliohcalvo at hotmail.com>
Traduction française par <benoit.des.ligneris at physique.usherb.ca>
Deutschsprachige Übersetzung von Markus Breitenbach <procm at markus-breitenbach.de>
Chinese translations in big5 and gb2312 by Fengting Shen

If you've followed a link in a SECURITY WARNING message and you ended up here, you're probably wondering what's going on.

Briefly, the email administrator of the site that sent the warning message to you has put in place certain security policies regarding the types of email attachments they are willing to accept, and are rejecting attachments that they consider hazardous. If you look at the estimated cost to business of cleaning up from Microsoft Outlook email worms you can understand why they've done so: $8 billion in just the first half of 2001 (from an article on the CNNfn website in early August, 2001).

Please note: the presence of a link to this page in an email message does not imply that attachments on that email message are safe to open.

"But I didn't send any such message!" you say. You didn't, and you're not being accused of doing so - the notice is a warning that your computer may have a problem. There are two possibilities:

First, that your computer has been infected with one of these Microsoft email worms, and it is attacking others without your knowledge. The worm program is impersonating you in the hopes that people who know you will trust email messages that appear to be from you, and thus will infect themselves when they open the attachment that "you" sent to them.

Second, that the computer of someone you correspond with has been infected with one of these Microsoft email worms, and the worm has chosen your email address at random out of the local address book to use as the "From" address in its attacks on others in an attempt to hide the true origin of those attacks. This leads to notifications that are obviously wrong, such as a Mac or Linux user receiving warnings that they sent someone a Microsoft Outlook email worm.

To protect yourself against future attacks, install antivirus software (Symantec's Norton AntiVirus is good) and keep the virus signatures up-to-date. Also, make sure your antivirus software is not excluding any files from its scan. You may also want to suggest this to people you correspond with, so that their computer does not become infected and start attacking others in your name.

If you ever receive an email that claims to carry an operating system or application program update or antivirus tool in its attachment, DO NOT trust the attachment. Software vendors never distribute patches and updates via email, though they will announce them that way. If you ever receive an email that says "I had a virus, here's a copy of the cleanup tool", or "here's a program that will immunize your computer", DO NOT trust the attachment. This is just the sort of thing a self-propagating email worm will say to you to gain your trust long enough for you to run the attachment and infect yourself.

"Why can't I open my attachments?" you ask. Well, if the name of the attachment has the word "DEFANGED" in it, then your email administrator is enforcing a security policy to protect you from these attacks. The content of the attachment has not been altered in any way. The only thing that has happened is that the name of the attachment has been mangled to prevent you reflexively double-clicking on it to open it.

That is how these worms spread. They rely on the Double-Click Reflex that using a GUI gives you. "Hey! An attachment! {click-click}" If you stop to think first, you may realize that this message was from a total stranger who has no good reason to be sending you a file. That's one reason the filename is mangled - to force you to stop and think about whether you should double-click on the file.

The second reason is, if you do have antivirus software installed, the act of saving the attachment to your disk gives your antivirus software a chance to scan it for viruses. If you open it directly from within your mail program, this may not happen.

The third reason is Microsoft, in their infinite wisdom, decided you don't actually need to see all of the attachment's filename. Windows has an option called "hide known filename extensions." This option is turned on by default. The person attacking you takes advantage of this by naming the attachment something like THISISAWORM.TXT.EXE, which Windows displays as THISISAWORM.TXT, which many people will assume is safe since the filename ends in .TXT - only the actual filename (which Windows is helpfully hiding from you) does not end in .TXT, so when you double click it you don't get notepad. Instead, you get infected, and the worm immediately starts attacking others.

One major thing you can do to help protect yourself is to turn off the hiding of the full filename. Open up My Computer, click on View -> Folder Options, select the View tab, and uncheck the "hide file extensions for known file types" checkbox.

Mangling the extension will make the full file name appear, and receiving a file attachment named THISISAWORM.TXT.12345DEFANGED-EXE should set off alarm bells in your head.

Sometimes legitimate attachments will have their names mangled - for example, THISISNOTAWORM.ETC.12345DEFANGED-DOC may be a perfectly safe document file.

To save the attachment and fix the filename at the same time, simply right-click on the attachment and select "Save as...". A dialog with the current (mangled) filename will be displayed. Select the folder where you want to save the file, and in the box where the filename is displayed simply edit out the "DEFANGED" part. For example, if the mangled attachment filename is THISISNOTAWORM.ETC.12345DEFANGED-DOC, simply delete out the 12345DEFANGED- part to restore the original filename of THISISNOTAWORM.ETC.DOC - then you can go into My Computer and double-click on the file normally to open it.

By default the Sanitizer uses very high security settings, settings that are somewhat too high for public ISPs to use. If you are a home user, and .EML (forwarded email) and .VCF (V-card) attachments are being mangled by your ISP, then please contact your ISP's support desk and ask them to reduce the security settings a bit.

"But I just want to send this file, and I've virus-scanned it and it's clean! Why is it being rejected?" you ask. Virus scanners are reactive - the antivirus vendor needs to see a sample of the virus before they can create a recognition signature for their scanner. This process can take several days, and then you have to obtain the signature update before your scanner will detect the virus. This means a computer will be vulnerable to a new virus - or a new variant of an old virus - for several days at a minimum. Given that an email worm may spread worldwide in two days, that's simply not fast enough. It also means that if the virus signature list is not being regularly updated the antivirus software won't be able to detect new viruses and new variants of old viruses. Many people don't keep their virus signature list current after the initial 30- or 60-day update subscription expires. Most vendors allow manual downloads of their signature files, and reinstalling the antivirus software will update the signatures and may resubscribe for another 30- or 60-day period.

The sanitizer, on the other hand, is a proactive security policy enforcement tool. The administrator of the mail system has taken a look at the risks, and has decided that certain types of files are simply too hazardous to permit into their mail system from the public Internet. This way, all of the email worms and viruses that rely on an executable file attachment to spread, whether or not they are brand new variants, get stopped at the mail server. The rejection does not mean any specific file is infected; rather it means that the entire class of files is not acceptable.

If you wish to send an attachment past the policy filter, you need to package it in a manner that makes it not directly executable. Instead of sending a bare executable file, package it using WinZIP, Stuffit, or some other compressing and archiving program. If you're already sending a bunch of files in this format, don't make the archive a self-extracting .EXE file. If you want to share something that is publicly available (like Elf Bowling XXXVII) then send the URL where they can download the file from the vendor, rather than sending the file itself. If you are sending files that many people might be interested in (like your vacation photo album or new baby pictures) then post those files on your personal website (most ISPs provide this as part of the basic account) and send a URL rather than the files themselves.

Please note:

The mail administrator decides the email security policy for their site. I do not. If you have problems with the mangling of attachment filenames, please take it up with the administrator of your email system. I can help them fine tune their security settings, but I cannot turn things off for you if you're annoyed by mangled attachment filenames. Also, the sanitizer is not a subscription service, so I cannot unsubscribe you.

I can be contacted at <jhardin@impsec.org> - you could also visit my home page.

Created with vi   Best viewed with Any Browser

$Id: sanitizer-intro.html,v 1.33 2006-01-20 07:40:08-08 jhardin Exp jhardin $
Contents Copyright (C) 2006 by John D. Hardin - All Rights Reserved. Translation encouraged, please notify me so I can post links from the main site.