Email Attachment Filtering: Strategies and Lessons

Learned

Brian ReillyGeorgetown University, UISreillyb@georgetown.edu

http://security.georgetown.edu

2

Overview Introduction What’s the problem? What did we do? What did we learn?

3

A bit about me… 6 years at Georgetown Security guy, not an email guy Pine is my email client of choice (so

what’s all this fuss about clicking on attachments?)

4

Once Upon a Time… Historically, very little filtering done Last resort, only in the event of

negative impact on server or service sendmail.cf modifications for

Melissa (ca. 1999) and ILOVEYOU (ca. 2000)

Viruses typically addressed by desktop AV software.

5

Jump to the Present Multiple years of many, many email

viruses Multiple years of users clicking on

many, many infected attachments Client-side AV software is good, but

it’s not solving the problem.

6

Current Email Architecture Sun IMS IMAP Store; access via IMAP/SSL IMS Webmail via HTTPS Multiple external MTAs running freeware

Sendmail Multiple internal MTAs running freeware

Sendmail; STMP AUTH over SSL required 300K-500K inbound messages delivered a

day

7

IMAP Mail Store

External MTAExternal MTA

Internal MTA Internal MTA

GU Client GU Client

IMAP/SSL, HTTPS

SMTP AUTH/ SSL

Current Email Architecture

8

The Problems Same recommendations for each new virus

Configure AV software to auto-update daily Enable automatic file system protection Don’t click on suspicious attachments

Huge productivity losses Desktop and ResNet spending more than 50%

of time on virus tickets Users impacted by system disinfection and/or

re-building Users frustrated; IT staff frustrated

9

The Problems Increased Risk

Virus payload becoming more malicious• SPAM proxies• Network scanning• File modification• Keystroke monitoring

10

Solution Requirements Ideally fit well into existing architecture, with

limited re-engineering Deliver legitimate attachments Protection from 0-day attacks What’s the exposure: New virus -> New

Virus Definition released -> Definitions Updated on Server Others saw up to a few thousand infected

messages sneak in Paying >$50K for a partial solution wasn’t an

option

11

Then W32.SoBig.F Hit August 2003 Already dealing with Blaster, Welchia, and

Back-to-School Many large messages clogging user

Inboxes and affecting system performance

Had to do something NOW Implemented MIMEDefang in a 48-hour

period

12

What is MIMEDefang? From the FAQ:

MIMEDefang is a framework for filtering e-mail. It uses Sendmail's "Milter" API, some C glue code, and some Perl code to let you write high-performance mail filters in Perl.

People use MIMEDefang to:• Block viruses• Block or tag spam• Remove HTML mail parts• Add boilerplate disclaimers to outgoing mail• Remove or alter attachments• Replace attachments with URL's

Freeware; Similar commercial products available from Roaring Penguin Software

http://www.mimedefang.org

13

MIMEDefang: Take 1 SoBig messages silently dropped Other suspicious attachments

logged Worked well, but was a very reactive

solution No protection against the next

email-borne virus

14

MIMEDefang: Take 2 New filters added

Additional requirements• File names• File sizes• Hash Contents

Worked OK, but prone to false negatives

Non-trivial toll on system resources

15

Making the Case Ultimately left with a choice between non-

perfect solutions: Status Quo: No filters

• No Messages or attachments dropped• Viruses continue to be a huge burden• Looming “big incident”

Option #1: Attachment filtering• Low Capital cost • Protection from 0-day threats• Potential impact on users and productivity, due to

dropped legitimate attachments or inconvenience

16

Making the Case Option #2: Commercial Solution

• Significant capital expense• Limited protection against 0-day• May not fix the problem

17

Making the case

Collected data over a 30-day period of “normal” usage

~350K executable attachments logged Metrics

Number of blocked known viruses Number of each executable attachment type Top file names by attachment type Frequency given a file size and attachment

type

18

Some of the highlights

19

Top Filenames by Extension

276 body.bat

339 message.bat

568 document.bat

365 text.cmd

378 Message.cmd

741 document.cmd

1177 body.exe

1260 message.exe

2270 document.exe

4064 message.pif

7889 document.pif

14057 www.paypal.com.pif

3612 body.scr

3994 message.scr

7460 document.scr

16792 body.zip

33992 document.zip

39190 message.zip

.ZIP

.CMD

.EXE

.BAT .PIF

.SCR

20

File Metrics SummaryTotal Number of Files

Number of Unique Filenames

Extension File Size

9902 763 .exe 22528

10484 1414 .zip 22640

10834 1450 .zip 22646

11806 1329 .zip 22648

23811 975 .zip 22790

32272 2491 .scr 22528

34070 2624 .pif 22528

34964 1405 .zip 22642

21

File Metrics SummaryExtension Total # of Files

Logged# of Files in “Top 10 Filenames”

% of Files in “Top 10 Filenames”

BAT 3264 2467 75.58%

CMD 3424 3113 90.92%

COM 4688 511 10.90%

EXE 24575 9756 39.70%

PIF 55280 46852 84.75%

SCR 39834 31754 79.72%

ZIP 198002 164235 82.95%

22

It’s worth re-stating…

A minimum of 82% of the messages with .ZIP attachments processed during the observation period were generated by viruses.

23

The Outcome We went with Option #1 MIMEDefang processes all incoming

messages Slight modifications made to

enhance performance

24

Filtered Attachment Types.ade Microsoft Access project extension .adp Microsoft Access project .bas Microsoft Visual Basic class module .bat Batch file .chm Compiled HTML Help file .cmd Microsoft Windows NT Command script .com Microsoft MS-DOS program .cpl Control Panel extension .crt Security certificate .exe Program .hlp Help file .hta HTML program.inf Setup Information .ins Internet Naming Service .isp Internet Communication settings .js JScript file .jse Jscript Encoded Script file .lnk Shortcut .mdb Microsoft Access program .mde Microsoft Access MDE database .msc Microsoft Common Console document .msi Microsoft Windows Installer package

25

Filtered Attachment Types

.msp Microsoft Windows Installer patch

.mst Microsoft Visual Test source files

.pcd Photo CD image, Microsoft Visual compiled script

.pif Shortcut to MS-DOS program

.reg Registration entries

.scr Screen saver

.sct Windows Script Component

.shb Shell Scrap object

.shs Shell Scrap object

.url Internet shortcut

.vb VBScript file

.vbe VBScript Encoded script file

.vbs VBScript file

.wsc Windows Script Component

.wsf Windows Script file

.wsh Windows Script Host Settings file

.zip Compressed (ZIP) File Archive

Based on http://support.microsoft.com/support/kb/articles/Q262/6/31.asp

26

The Implementation Microsoft “Type I” attachment types

and .ZIPs removed and replaced with a warning:

WARNING: This e-mail contained one or more attachments that have been identified as possibly carrying a virus. For more information, contact help@georgetown.edu or visit the following Web site:

http://uis.georgetown.edu/email/attachment.scanning.html

An attachment named New_MP3_Player.cpl posed a security hazard and was removed from this document. If you require this attachment, please contact the sender and arrange an alternate means of receiving it.

27

The Implementation

Custom headers added:X-GU-FilterVersion: 1.25

X-GU-Filter-Warning: This message contained a dangerous attachment type

X-Scanned-By: MIMEDefang 2.39

Allows users to create filters to move/file messages with suspicious attachment types

28

Results Over 1 Million suspicious attachment

types dropped to date Limited user complaints (but some did,

vocally) Email-borne virus infections dropped

almost to zero No more scrambling with each new virus I think we made the right choice, for now

29

What’s to come? The Bad

More Windows CLSID viruses More social engineering, e.g. “Please re-name the file urgent.foo to urgent.exe, and open it for important information about Anna Kournikova.”

Other means of infection, e.g. hostile URLs The Good

More savvy, informed users More secure Operating Systems and email

clients

????

30

Summary Sometimes you need that watershed

event for things to change Do the analysis and look at the

numbers – they may surprise you There no perfect or one-size-fits-all

solution For us, attachment filtering has been

very successful

31

Any Questions?

Contact me:Brian Reilly<reillyb@georgetown.edu>

More information:http://security.georgetown.eduhttp://uis.georgetown.edu/email/attachment.scanning.html