UC Home Maps A-Z Index Web Search People Search UC Tools  
University of Cincinnati - UCit   University of Cincinnati - Home
 
 

Best Practices - Email attachments


A popular use of e-mail is to distribute computer files (i.e., text files, documents, spreadsheets). This is accomplished by "attaching" a file to an e-mail message and then sending the file with the message, to a recipient. Virtually any kind of computer file can be attached to an e-mail message for transport. 

Unfortunately, this functionality creates an opportunity for distribution of malicious files (viruses, worms, and trojans). Older e-mail programs often opened files attached to messages automatically, as a convenience to the user. This caused infections without any user intervention. Newer e-mail programs don't normally open attachments automatically, so other methods have been employed to entice (convince) the recipient to open attachments manually. This is called "social engineering", an attack designed to make you take an action (in this case, to click on the attachment). Attackers are constantly coming up with new social engineering tactics to trick users into starting (opening) malicious programs.

Some recent social engineering tactics using e-mail are:

  • Customize the message text ("Dear John, ...")
  • Spoof (forge) the sender name so it appears to be from someone you know
  • Make the message personal
  • Make the message threatening
  • Make the message look official (phishing)
  • make the attachment look harmless

A recommended best practice is to NEVER distribute an executable program as an e-mail attachment. An attachment that is executable is a program, rather than a text file or a document. It is something that "runs" when you click on it (start it). Methods other than e-mail are available to safely share programs with others (see "Options for Sharing Executable Programs", below).

How do we know if an attachment is "executable"?

File names are very important because that is how the computer knows what to do with the file. For example, documents are named with a three-letter extension of ".doc", which the computer knows to most likely use Microsoft Word. Other extensions, such as ".exe" tell the computer the file is a program that will run by itself when its clicked. There are many file types and program associations on every computer. If your computer doesn't know what to do with a file (it has no association), the computer will prompt you to select the correct program to open it.

Protection from Malicious E-Mail

To help secure the University's computers, the following protections are being implemented:

  1. All in-coming messages are scanned for known viruses, worms, trojans, etc. If malicious code is detected the entire message is discarded at the campus e-mail gateway. In addition, if a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, it will be discarded. (Examples are encrypted .zip files, and password protected office productivity files.)
  2. Any message that is not a known problem, but has a "dangerous" (executable) attachment,  will have the attachment deleted before the message is delivered. Text will be inserted into the message stating the attachment has been removed.
  3. Any message that is not a known problem, which has an attachment that is not considered "dangerous" will be delivered intact. This includes messages with office productivity files (documents, spreadsheets, etc), text files, and other files attached that are not executable. 

All Email Users Should Block These E-Mail Attachment Types:

There are numerous kinds of executable file attachments that many units do not need to routinely distribute via e-mail. If possible, block these at the perimeter as a countermeasure against the malicious code threat. Units using Outlook can also block them using Outlook 2003 or, for earlier versions of Outlook, using the appropriate security patches.

The specific file types that should be blocked are:

.bas .hta .msp .url .bat .inf .mst .vb .chm .ins
.pif .vbe .cmd .isp .pl .vbs .com .js .reg .ws .cpl
.jse .scr .wsc .crt .lnk .sct .wsf .exe .msi .shs .wsh

It may be prudent to add, or delete files from this list depending upon operational realities. For example, it may be practical to block applications within the Microsoft Office family, all of which can contain an executable component. Most notable are Microsoft Access files, which unlike other members of the Office family have no intrinsic protection against malicious macros. This list includes:

.doc .doch .docm .xls .xlt .xlw .ppt .pps
.rtf .mdb .ade .adn .adp .dot .mde .mdn
.mdp .obd .obt .obz .pub .pubh .pubm

If you need to send a file with a blocked extension, you may compress it and send it as a zip file. Zip files are safe as they are pure data and cannot take any action unless initiated by the user. Important point: Malware can be sent via a zip file just like anything else can, so don't open even a zip file unless you expected it...

In Windows XP and above, you can do this natively
  • Right-click on the file to compress
  • Go to Send To > Compressed (zipped) Folder
  • Attach the resulting zip file to your email message.

Alternatively, you may use a compression software like WinZip

 
InfoSec Home
Free Anti-Virus
PSS Help
Report an Incident
Security Update
 
 

Featured Article

 
 

It's all UC Footer rule line
 
Contact Us | University of Cincinnati | 2600 Clifton Ave., Cincinnati, Ohio 45221
Undergraduate Admission: 513-556-1100 | Graduate Admission: 513-556-4335
University Information: 513-556-6000 | Copyright Information © 2006