Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Filtering attachments in e-mails


  • Please log in to reply
8 replies to this topic

#1 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 07 August 2014 - 09:16 AM

In one, if not more posts, I've indicated that e-mails with attachments are automatically deleted on my e-mail server.  I've gotten several requests on how to do it.  Here is the general way to do it.  The exact procedure will vary between e-mail providers.  This only DETECTS the attachment, you have to tell your filters on the server, or in your e-mail client what to do with them.

1.  In order to detect attachments in e-mails, create a filter (see your e-mail provider help, or e-mail client help), searching the entire body of the e-mail for ALL of these (no quotes):

1.1.  "Content-Disposition:"
1.1.1.  The colon is required.
1.2.  "attachment"
1.3.  "filename="

This will work for sure for e-mails created with Microsoft Outlook, Mozilla Thunderbird, and a webmail interface (at least on my e-mail server).  The items above are "hidden" fields in the e-mail.  Here is the filter on my e-mail server domain.

214bjuc.png


Have a great day!
:bananas: :bounce:


Edited by scotty_ncc1701, 07 August 2014 - 09:20 AM.


BC AdBot (Login to Remove)

 


m

#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 07 August 2014 - 03:04 PM

If I copy the content of your post and e-mail it to you, your rule will trigger (false positive) and the mail will be deleted.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 scotty_ncc1701

scotty_ncc1701
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 07 August 2014 - 04:57 PM

If I copy the content of your post and e-mail it to you, your rule will trigger (false positive) and the mail will be deleted.

 

In my post I said:

1.  "In one, if not more posts, I've indicated that e-mails with attachments are automatically deleted on my e-mail server".  NOTE, "...AUTOMATICALLY DELETED ON MY E-MAIL SERVER".

2.  Just above the filter (the embedded graphic), "Here is the filter on my e-mail server domain" -- NOTE "...ON MY E-MAIL SERVER DOMAIN".

3.  "This will work for sure for e-mails created with Microsoft Outlook, Mozilla Thunderbird, and a webmail interface (at least on my e-mail server).  The items above are "hidden" fields in the e-mail.  Here is the filter on my e-mail server domain".

4.  For Yahoo mail it did work, although in that case I had to use only "filename=", because of Yahoo's limited filtering ability.

As for your comment, "If I copy the content of your post and e-mail it to you, your rule will trigger (false positive) and the mail will be deleted".

1.  It's not a false positive, and the deletion is correct, based on the filter parameters.  Specifically, the graphic from my e-mail domain says to delete it, and thus it is 100% correct.  Note one of the actions say to "Discard message".  Discard = delete.  I never will see the e-mail.

2.  I also specifically stated, "This only DETECTS the attachment, you have to tell your filters on the server, or in your e-mail client what to do with them".  This means the "Content-Disposition:", "attachment", and "filename=" is the first part, which finds the attachments.  The second part is "...you have to tell your filters on the server, or in your e-mail client what to do with them..."  Filters always have three pasic parts.  What field to search, what to look for, and then what to do.

SO, NO DISRESPECT, BUT MY POST IS STILL ACCURATE.  E-mails with attachments can still be automatically filtered on the server.  The basic implementation depends on the e-mail provider, as stated: "The exact procedure will vary between e-mail providers", as the example of with Yahoo indicates.  The minimum filter must be "filename=".  The other two parameters are used to further prevent or lessen false positives.

Have a great day!
:bananas: :bounce:
 



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 07 August 2014 - 05:07 PM

Sorry, but I don't understand what you try to explain. Maybe you did not understand me.

 

Here is another explanation:

 

If I send you an e-mail without attachment but with these strings in the body:  "Content-Disposition:", "attachment" and "filename=",

then your rule will trigger.

That is why I call this a false positive. The rule triggers, but there is no attachment.

 

Hope this explains better what I'm trying to tell you and others whom might take over your rule.

 

Example of such an e-mail:

 

Hello Scotty,

 

Are these your rule parameters:

 

1.1.  "Content-Disposition:"
1.1.1.  The colon is required.
1.2.  "attachment"
1.3.  "filename="

 

Thanks,

 

Didier

 


Edited by Didier Stevens, 07 August 2014 - 05:09 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 scotty_ncc1701

scotty_ncc1701
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 07 August 2014 - 07:01 PM

DS:

 

OK, let me try again.  The reason that it is coming up is a false positive, is because you're including the tags in the body of the e-mail, when as indicated in the thread title, it is intended on filtering messages with attachments.  More specifically at the server level, so it doesn't get to your inbox at all.  Take a look at this:

bhwwab.png

Here I sent portions of the two raw e-mails, one without an attachment (left side), and one with an attachment (right side).  The area with attachments aren't there in the one without attachments, and thus, as far as the user is concerned, are hidden fields.

The filter looks for, and finds "Content-Type:", "attachment", and "filename=" in these hidden fields, thus it is a valid find, in the body portion of the text, even though the fields are hidden.  The only thing that could be used to make the filter tighter is is to use "_NextPart_" in addition.

This is why you're getting a "false positive", because you're including the tags (hidden fields) in the body of the message you created.  Send yourself a message, one with an attachment, and one without, and you won't get a "false positive", if you have the filters setup right on the server.  For testing purposes, send the e-mail with the attachment to the trash folder, or another one you created for the test.

Remember, the title of the thread is, "Filtering attachments in e-mails".  In very general terms, the filter is intended to:

1.  Delete e-mails with attachments; or
2.  Redirect e-mails with attachments to an isolated folder.

Hope this helped.  Remember, the exact implementation will depend on your e-mail provider.  In my case, I have a domain just for my e-mails.  I only have Yahoo for the groups, and nothing more.

Have a great day!
:bananas: :bounce:
 



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 08 August 2014 - 02:42 AM

DS:
 
OK, let me try again.  The reason that it is coming up is a false positive, is because you're including the tags in the body of the e-mail, when as indicated in the thread title, it is intended on filtering messages with attachments.


Yes, that is exactly my point. It is intended to filter attachments, but it does more, it also filters e-mail messages like my example.

You can not control what people type in their e-mails to you. If someone sends you an e-mail with these tags in the body, you will never know about it, because the e-mail will be deleted.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 08 August 2014 - 02:50 AM

On another note, I suppose you never receive or send secure e-mail? I mean e-mails that have been digitally signed but not encrypted?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 08 August 2014 - 05:03 AM

Just thinking of something: are you doing this because the e-mail filtering engine you use can not detect attachments because it is not parsing SMTP/MIME?

 

The engine I use detects attachments and has a corresponding option when defining rules:

 

290sa4z.png

 

Don't you have that option? And does this explain why you search for tags in the body?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 scotty_ncc1701

scotty_ncc1701
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 09 August 2014 - 07:38 AM

1.  The filtering engine on my domain is a basic filtering engine.  Although I could purchase an advanced package, I see no reason for it, because I have multiple levels of filtering.

2.  I could if I wanted, drop e-mails with attachments to a specific folder, on the server.  This would isolate e-mails with attachments.

3.  However, on all e-mail accounts that I would receive statements for (e.g. my bank, phone company, etc), I get a notice saying the statements are available on their server, and then I download them manually.  In these cases, attachments are moot, because they don't send them via e-mail.

4.  Because of #3, the most likely e-mails with attachments could possibly be "trouble" e-mails.  So why take a chance?  The only exception might be software I've bought on line.  So far all of the licenses have been displayed on my screen, where I copy/paste it into a text file, create a PDF copy, and a screen capture of it, and save it into my PC licenses folder.  But they also send the license via e-mail, and its never been an attachment.  So attachments are a moot issue.

5.  Remember, e-mail attachments are one of the ways viruses/malware are spread.  The addressee gets an e-mail, opens the attachment, and bam, their infected.  Again, why take the chance?

6.  Just another extra step, that I take that has kept me virus/malware free for about 19 years.

---- This added on my off-line prepared copy on 2014_08_09

7.  I found out yesterday, that my hosting company may have something that will easily check for attachments, differently than I do.  However, I don't know that I'll be getting it because:

7.1.  It cost additional $$.

7.2.  The functionality is on a third party site.
7.2.1.  My e-mails would be forwarded to their site to evaluation, then sent back to my e-mail server for delivery.

7.3.  The third party site, on their contact page says that:
7.3.1.  Their site says their in one country.
7.3.2.  But their phone is in another country.
7.3.3.  They supposedly have a US office, but their fax is in Europe.
7.3.4.  They have an office in a country that I'm considering placing on by "bad country" list, but haven't made the final call.  I haven't used any software from this "bad country".

Have a great day!
:bananas: :bounce:
 


Edited by scotty_ncc1701, 09 August 2014 - 07:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users