Blocked Attachments
The following is a list of the file extensions which are blocked by Raptor Anti-Spam to help protect your computer from malicious attachments.
Dropped Files
Due to the likelihood of being malware, attachments with the following extensions are blocked entirely by Raptor by silently dropping the entire message, including files containing a class ID extension:
| Extension | Description | Threat |
|---|---|---|
| pif | MS-DOS shortcut | Can launch malware |
| com | Executable file | Can launch malware |
| scr | Screen Saver Script | Can launch malware |
| bat | Executable batch file | Can launch malware |
| {*} | class ID extension | Class IDs function the same way other extensions do, but without it being obvious what type of file is being used, and is commonly used to trick users into opening malware |
Quarantined Files
The files below are quarantined and removed from the email. The original message with a note about the removed attachment will still be received, and the file can be retreived from the quarantine by contacting PCCC. Click here for more help with attachments and retrieval instructions.
| Extension | Description | Threat |
|---|---|---|
| 7z | A Compressed File Format like a zip | Exploit potential uncertain but prevalent in financial Phishing emails in 3Q 2017. |
| ace | WinAce Compressed File | Ace files Can contain malicious payloads that launch malware |
| ade | MS Access project extension | Access project files Can contain autoexecuting macros |
| adp | MS Access project description | Macros |
| app | Microsoft FoxPro application / OS X binary | Executables may launch malware |
| arj | A Compressed File Format like a zip | Exploit potential uncertain but present in some Phishing emails. |
| asd | Microsoft Office automatic backup file | Macros |
| asf | Streaming video | Buffer overflow |
| asx | Streaming video | Buffer overflow |
| bas | BASIC source file | Code execution can launch malware |
| bat | Executable batch file | Code execution can launch malware |
| cab | Cabinet file used by Windows for compressing installation files | Used in Phishing to trick people into installing programs. |
| chm | Compiled HTML help file | Exploits a buffer overflow found in Internet Explorer. |
| cmd | Executable batch file | Can launch malware |
| cpl | Control panel extension | Can launch malware |
| crt | Security certificate | Can override SSL certificates and lead to Man-in-the-middle attacks |
| dll | Dynamic Link Library | Can launch malware |
| exe | Executable file: .exe plus additional variations | Can launch malware |
| fxp | Microsoft FoxPro executable | Can launch malware |
| hlp | Windows compiled help file | Macros |
| hta | HTML application | (Java)script can launch malware |
| hto | Hierarchical Tagged Objects file | Can launch malware |
| inf | Setup information | Setup scripts can be changed to do unexpected things |
| ini | Contains program options | Program options can be accidentally installed and cause programs to do unexpected or malicious things |
| ins | Internet Naming Service | DNS hijacking/DNSChanger attacks |
| isp | Internet Settings | DNS hijacking/DNSChanger, MITM attacks |
| jar | Java Archive | Can launch malware |
| js | Javascript source file | Can launch malware |
| jse | Javascript executable | Can launch malware |
| lib | Software library | In theory, these files could be infected but to date no LIB-file virus has been identified |
| lnk | Windows shortcut | Can execute arbitrary code and run malware. Some people may accidentally attach a shortcut instead of the softlinked file |
| mdb | Microsoft Access File | Macros can launch malware |
| mde | Microsoft Access database | Macros can launch malware |
| mim | MIME-encoded file | Blocked due to an exploit in some versions of WinZip. | msc | Microsoft Common Console Document | Can be changed to point to unexpected places. |
| msi | Windows installer executable | Can launch malware |
| msp | Microsoft Windows Installer Patch | Can launch malware |
| mst | Microsoft Visual Test Source Files and SDK Setup file | Source can be changed to make your computer work unexpectedly |
| ocx | Object Linking and Embedding (OLE) Control Extension | Can launch malware. |
| pcd | Kodak proprietary photo CD image | Can launch malware. |
| pif | MS-DOS shortcut | Can launch malware |
| prg | FoxPro program source file | Can launch malware |
| reg | Registry file | Can change system settings and cause unexpected behaviour |
| scr | Script | Can launch malware |
| sct | Windows Script Component | Can launch malware |
| sh | UNIX shell script | Can launch malware on UNIX workstations |
| shb | Shell Scrap Object File | Can launch malware |
| shs | Shell Scrap Object | Can launch malware |
| sys | System Device Driver | Can launch malware, kernel level. |
| uue | UUE archive file | Can be used to hide malware files |
| url | Bookmarked URL | File with a web URL that can open nefarious |
| vb | VisualBASIC runtime | can execute arbitrary code |
| vbe | VisualBASIC | can execute arbitrary code |
| vbs | VisualBASIC script | can execute arbitrary code |
| vxd | Virtual Device Driver | Can launch malware |
| wmd | Windows Media Download | Can launch malware |
| wms | Windows Media Player Skin | Can launch malware |
| wmz | Windows Media Zipped File | Can launch malware |
| wsc | Windows Script Component | Can launch malware |
| wsf | Windows Script File | Can launch malware |
| wsh | Windows Scripting Host Settings File | Can launch malware or cause unexpected behaviour |
| Z | A Compressed File Format like a zip | Exploit potential uncertain but prevalent in financial Phishing emails in 2Q 2020. |
Conditionally Blocked Files
In addition to the above formats, some files are only blocked if certain conditions are met due to their widespread use.
| Extension | Description | Conditions and Reason |
|---|---|---|
| zip | File Archive | ZIP archives contents are scanned using the same rules above. ZIP files which appear to be corrupted or in the wrong format (Files with a bad "magic file number") are blocked, since they may contain exploits or executable malware. |
| eml | Email message attachment | Email forwarded in this manner without being marked as multipart alternative are quarantined, since a client may inadvertently open this extension automatically and execute malware. |
Disabled HTML Tags
In addition to scanning message attachments, Raptor will also scan HTML messages for potentially malicious content including the following:
| Tag | Reason |
|---|---|
| iframe | Iframe tags are used to "frame" or embed a remote website inside of an HTML email, and is blocked by Raptor due its use for phishing and tracking user email habits. |
| object | The object tag is used to embed audio, video, ActiveX, PDF, Flash, and Java applets in an HTML document, which can be exploited on some clients to launch malware. |
| script | The script tag is used to embed a Javascript or other executable program into an HTML document, and can be exploited to launch malware. |
Previously Blocked Files
Below is a list of files which were previously blocked by our spam filters, but since have been removed. Reasons for their removal from the block list may include the widespread prevalence of a certain format, and the use of better secured software by clients.
| Extension | Removal Date | Reason |
|---|---|---|
| rar | 2012-07-25 | RAR files have had exploit vectors but the prevalence of the file format is too high. Please make sure you are using recent and secure software to handle RAR files. |
| vcs | 2013-05-11 | Old versions of Outlook contained buffer overflows which could be exploited when importing a calendar. The prevalence of the format and use of clients that no longer suffer from this vulnerability has prompted the removal of this file block. |
Explanation of Threats
Macros
Macros are executable extensions of specific programs which are designed to automate long and tedious tasks. While some macro languages are limited from a programming perspective, many try to extend their usefulness by calling outside programs. Since some programs, such as document processors and office suites, allow the embedding of macros, it is possible to construct a malicious document that would download and run more capable malware as soon as it was opened.
Malware
Malware is a general term used to describe malicious software which causes unwanted, intrusive operation of a computer, normally unknown to the user. Malicious software includes but is not limited to viruses, adware, trojans, worms, and spyware. Common infection vectors for malware include email attachments, intentional or driveby downloads, and removable media such as thumbdrives.
Viruses
A computer virus is one type of malware which can spread by itself. As Wikipedia puts it, "the term "virus" is also commonly used, albeit erroneously, to refer to many different types of malware and adware programs."
Adware
Adware is a type of software which displays or injects internet advertisments in an attempt to gain the author ad-revenue. Some adware may come from legitimate companies to support a business model, and may come bundled with your computer. Other sources may present unwanted pop-up ads, and generally are classified as having malicoius intent.
Trojans
A trojan, or "trojan horse", is malware that masquerades as or is bundled with legitimate software. Sophisticated trojans, coupled with the implicit trust that a computer user unknowingly grants to the malware, is capable of cripling or disabling anti-virus software entirely, while consealing the problem from the user to evade detection.
Worms
A worm is a type of malware designed to replicate itself to spread to other computers or servers, usually relying on security flaws in physical networks to spread to as many computers as possible [1].
Spyware
Spyware is malware designed to silently steal information about an infected computer's user by logging keystrokes, accessing local files, and collecting stored application data to be sent back to the spyware author. Some spyware is the direct payload of a trojan, although some has been known to spread as a virus.
Ransomware
Ransomware, sometimes known as cypherware, is a malicious program which encrypts personal documents stored on computers or otherwise restricts access to the computer, holding the computer "hostage" and demanding money in exchange for the decryption or access key. While some ransomware is trivial to defeat, the best defense against ransomeware is to keep recent backups of your all personal documents.
Buffer Overflow
A buffer overflow is an unintentional flaw in software which can be exploited to run malware with the same privledges as the exploited program. An old or outdated browser may contain known buffer overflow exploits, which can be exploited to run malware through a specially crafted website. Keeping all installed software up to date is important to preventing security issues from buffer overflows.
Credits
Compiled by PCCC with considerable source material from the following sources:
- Wikipedia: http://en.wikipedia.org/wiki/User:Ruud_Koot/Dangerous_file_types
- Microsoft: http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx
- The MIMEDefang Source Code & Mailing List: http://www.mimedefang.com/