Chris-Linfoot.net

• *.bat, *.cmd
  MS-DOS/WINNT batch (script) files. Often used as virus vectors (in which case the file contents are always a Win32 portable executable). Not often found in real email. Usually fairly safe candidates for blocking.
  
  
• *.com
  MS-DOS legacy executables. Often used as virus vectors (in which case the file contents are always a Win32 portable executable). Rarely found in real email. Safe to block on sight.
  
  
• *.exe
  Windows portable executable. Often used as virus vectors. Sadly also often used by people sending self extracting archives so not obvious candidates for blocking. Consider blocking or at least quarantining during major virus outbreaks.
  
  
• *.lnk
  Windows shortcut. Often used as virus vectors (in which case the file contents are always a Win32 portable executable). Rarely found in real email (no point as they refer to a location on someone else's hard disk drive). Safe to block on sight.
  
  
• *.pif
  Windows legacy MS-DOS application shortcut. Often used as virus vectors (in which case the file contents are always a Win32 portable executable). Never found in real email. Block on sight.
  
  
• *.scr
  Screen savers (also treated by Windows as an executable type). Sometimes found in real email. If you are a corporate mail admin and you have a policy on the installation by users of screensavers or other executable code (if not, why not?), then you can safely block on sight.
  
  
• *.shb, *.shs, *.shx
  Windows Shell Scrap objects. Rarely seen in email, but potentially very hazardous as they can contain executable code and their .sh? extension is always hidden even if users have file extensions set to be visible, thus making it easy to disguise them as a benign file. Always block on sight.
  
  
• *.pps
  Powerpoint self running slideshow. Often seen in email but rarely used productively. In this author's experience mainly used for chain letters (send this to at least fifteen other people and something wonderful will happen to you; don't break the chain or you will be cursed -- that sort of thing). Consider blocking. Worked for me.
  
  
• *.zip
  Zip archives. Often found in real email but latterly also used by many viruses including Mydoom. Can't block these. If your virus or content filter permits, you should look inside ZIP files to see if they contain other banned content (.pif, .com, and so on), then block the entire message if any suspicious content is found.

1. Dave Brown03/02/2004 16:20:13

What do you think about .vbs and .hta?

2. Chris Linfoot03/02/2004 16:50:59

Also very nasty. Actually I have a much longer list of file types found in email but decided to confine this piece to types commonly found in email (with the exception of shell scrap objects which are so pernicious that I included them despite relative rarity).

3. Stoomaroo03/02/2004 20:23:45

I block *.mp3 files as well. Many a time I catch someone trying to slip that shiny new "Britney" tune thru email. Don't want to be the village idiot subpeona'ed by the RIAA -- regardless of what yesterday's Federal Judge states.

4. Chris Linfoot03/02/2004 21:11:43

That's a very good point... Copying that.

5. Nathan T. Freeman03/02/2004 22:23:17

LOL

I work at Sony Music. Blocking MP3s not a real good plan here. :)

6. Declan Lynch10/02/2004 10:43:05
Homepage: http://www.qtzar.com

We also silently remove MP3, WMA, MPEG, MPG, QT and RM files from the mail stream silently. There is no business reason for these types of attachments so this works great for us and also cuts down on the amount of space people waste in their mailfiles. I'd love to cut out JPG's but there are business reasons for sending and receiving them

Using Antigen we can actually remove the attachment from the mail message so the recipient still gets the message minus the attachment.

7. Sam17/05/2004 16:09:23

Hey! don't forget .vbs files! otherwise u'll be having another "i love you" story

8. Chris Linfoot17/05/2004 16:17:52

Yes, we stop those too.

I wrote this piece in the context of Netsky and like worms which use Windows portable executables disguised as other types (.pif, .bat and so on).

I guess I may publish a more comprehensive list some time in future.

9. Steve Dionne01/06/2004 18:37:10
Homepage: http://www.canammanac.com

I just want to tell you that the SHX extension is use by AutoCad's Font.
.shx Shape entities (AutoCAD)

For more information, check this useful Web Site
http://www.webopedia.com/quick_ref/fileextensionss.asp

Keep your great work. I like your site, there is a lot of thing useful about Lotus Notes, Spam, and so on...

10. andrew taylor12/02/2005 00:38:11

hey guys. im just wondering if anybody can help me. i have 9 ms-dos shortcuts that i think could be a virus, i delete them and they reappear again almost instantly. there is also an unreadable autocad file which seems to be part of it. i tried virus scans and they dont show up. any ideas on how i could get rid of them?

11. Hernan Ruggiano30/05/2007 16:09:51

Thatīs great to prevent incoming files,but what about outgoing files? i want to prevent users FROM sending mp3, wmv and others, but i cant find a way to do it... any ideas?

Thnks.

12. Chris Linfoot30/05/2007 16:51:39

The same technique works for both inbound and outbound attachments.

Unable to post a comment? Please read this for a possible explanation...