email attachment filtering: strategies and lessons learned
DESCRIPTION
Email Attachment Filtering: Strategies and Lessons Learned. Brian Reilly Georgetown University, UIS [email protected] http://security.georgetown.edu. Overview. Introduction What’s the problem? What did we do? What did we learn?. A bit about me…. 6 years at Georgetown - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/1.jpg)
Email Attachment Filtering: Strategies and Lessons
Learned
Brian ReillyGeorgetown University, [email protected]
http://security.georgetown.edu
![Page 2: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/2.jpg)
2
Overview Introduction What’s the problem? What did we do? What did we learn?
![Page 3: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/3.jpg)
3
A bit about me… 6 years at Georgetown Security guy, not an email guy Pine is my email client of choice (so
what’s all this fuss about clicking on attachments?)
![Page 4: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/4.jpg)
4
Once Upon a Time… Historically, very little filtering done Last resort, only in the event of
negative impact on server or service sendmail.cf modifications for
Melissa (ca. 1999) and ILOVEYOU (ca. 2000)
Viruses typically addressed by desktop AV software.
![Page 5: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/5.jpg)
5
Jump to the Present Multiple years of many, many email
viruses Multiple years of users clicking on
many, many infected attachments Client-side AV software is good, but
it’s not solving the problem.
![Page 6: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/6.jpg)
6
Current Email Architecture Sun IMS IMAP Store; access via IMAP/SSL IMS Webmail via HTTPS Multiple external MTAs running freeware
Sendmail Multiple internal MTAs running freeware
Sendmail; STMP AUTH over SSL required 300K-500K inbound messages delivered a
day
![Page 7: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/7.jpg)
7
IMAP Mail Store
External MTAExternal MTA
Internal MTA Internal MTA
GU Client GU Client
IMAP/SSL, HTTPS
SMTP AUTH/ SSL
Current Email Architecture
![Page 8: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/8.jpg)
8
The Problems Same recommendations for each new virus
Configure AV software to auto-update daily Enable automatic file system protection Don’t click on suspicious attachments
Huge productivity losses Desktop and ResNet spending more than 50%
of time on virus tickets Users impacted by system disinfection and/or
re-building Users frustrated; IT staff frustrated
![Page 9: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/9.jpg)
9
The Problems Increased Risk
Virus payload becoming more malicious• SPAM proxies• Network scanning• File modification• Keystroke monitoring
![Page 10: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/10.jpg)
10
Solution Requirements Ideally fit well into existing architecture, with
limited re-engineering Deliver legitimate attachments Protection from 0-day attacks What’s the exposure: New virus -> New
Virus Definition released -> Definitions Updated on Server Others saw up to a few thousand infected
messages sneak in Paying >$50K for a partial solution wasn’t an
option
![Page 11: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/11.jpg)
11
Then W32.SoBig.F Hit August 2003 Already dealing with Blaster, Welchia, and
Back-to-School Many large messages clogging user
Inboxes and affecting system performance
Had to do something NOW Implemented MIMEDefang in a 48-hour
period
![Page 12: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/12.jpg)
12
What is MIMEDefang? From the FAQ:
MIMEDefang is a framework for filtering e-mail. It uses Sendmail's "Milter" API, some C glue code, and some Perl code to let you write high-performance mail filters in Perl.
People use MIMEDefang to:• Block viruses• Block or tag spam• Remove HTML mail parts• Add boilerplate disclaimers to outgoing mail• Remove or alter attachments• Replace attachments with URL's
Freeware; Similar commercial products available from Roaring Penguin Software
http://www.mimedefang.org
![Page 13: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/13.jpg)
13
MIMEDefang: Take 1 SoBig messages silently dropped Other suspicious attachments
logged Worked well, but was a very reactive
solution No protection against the next
email-borne virus
![Page 14: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/14.jpg)
14
MIMEDefang: Take 2 New filters added
Additional requirements• File names• File sizes• Hash Contents
Worked OK, but prone to false negatives
Non-trivial toll on system resources
![Page 15: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/15.jpg)
15
Making the Case Ultimately left with a choice between non-
perfect solutions: Status Quo: No filters
• No Messages or attachments dropped• Viruses continue to be a huge burden• Looming “big incident”
Option #1: Attachment filtering• Low Capital cost • Protection from 0-day threats• Potential impact on users and productivity, due to
dropped legitimate attachments or inconvenience
![Page 16: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/16.jpg)
16
Making the Case Option #2: Commercial Solution
• Significant capital expense• Limited protection against 0-day• May not fix the problem
![Page 17: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/17.jpg)
17
Making the case
Collected data over a 30-day period of “normal” usage
~350K executable attachments logged Metrics
Number of blocked known viruses Number of each executable attachment type Top file names by attachment type Frequency given a file size and attachment
type
![Page 18: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/18.jpg)
18
Some of the highlights
![Page 19: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/19.jpg)
19
Top Filenames by Extension
276 body.bat
339 message.bat
568 document.bat
365 text.cmd
378 Message.cmd
741 document.cmd
1177 body.exe
1260 message.exe
2270 document.exe
4064 message.pif
7889 document.pif
14057 www.paypal.com.pif
3612 body.scr
3994 message.scr
7460 document.scr
16792 body.zip
33992 document.zip
39190 message.zip
.ZIP
.CMD
.EXE
.BAT .PIF
.SCR
![Page 20: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/20.jpg)
20
File Metrics SummaryTotal Number of Files
Number of Unique Filenames
Extension File Size
9902 763 .exe 22528
10484 1414 .zip 22640
10834 1450 .zip 22646
11806 1329 .zip 22648
23811 975 .zip 22790
32272 2491 .scr 22528
34070 2624 .pif 22528
34964 1405 .zip 22642
![Page 21: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/21.jpg)
21
File Metrics SummaryExtension Total # of Files
Logged# of Files in “Top 10 Filenames”
% of Files in “Top 10 Filenames”
BAT 3264 2467 75.58%
CMD 3424 3113 90.92%
COM 4688 511 10.90%
EXE 24575 9756 39.70%
PIF 55280 46852 84.75%
SCR 39834 31754 79.72%
ZIP 198002 164235 82.95%
![Page 22: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/22.jpg)
22
It’s worth re-stating…
A minimum of 82% of the messages with .ZIP attachments processed during the observation period were generated by viruses.
![Page 23: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/23.jpg)
23
The Outcome We went with Option #1 MIMEDefang processes all incoming
messages Slight modifications made to
enhance performance
![Page 24: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/24.jpg)
24
Filtered Attachment Types.ade Microsoft Access project extension .adp Microsoft Access project .bas Microsoft Visual Basic class module .bat Batch file .chm Compiled HTML Help file .cmd Microsoft Windows NT Command script .com Microsoft MS-DOS program .cpl Control Panel extension .crt Security certificate .exe Program .hlp Help file .hta HTML program.inf Setup Information .ins Internet Naming Service .isp Internet Communication settings .js JScript file .jse Jscript Encoded Script file .lnk Shortcut .mdb Microsoft Access program .mde Microsoft Access MDE database .msc Microsoft Common Console document .msi Microsoft Windows Installer package
![Page 25: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/25.jpg)
25
Filtered Attachment Types
.msp Microsoft Windows Installer patch
.mst Microsoft Visual Test source files
.pcd Photo CD image, Microsoft Visual compiled script
.pif Shortcut to MS-DOS program
.reg Registration entries
.scr Screen saver
.sct Windows Script Component
.shb Shell Scrap object
.shs Shell Scrap object
.url Internet shortcut
.vb VBScript file
.vbe VBScript Encoded script file
.vbs VBScript file
.wsc Windows Script Component
.wsf Windows Script file
.wsh Windows Script Host Settings file
.zip Compressed (ZIP) File Archive
Based on http://support.microsoft.com/support/kb/articles/Q262/6/31.asp
![Page 26: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/26.jpg)
26
The Implementation Microsoft “Type I” attachment types
and .ZIPs removed and replaced with a warning:
WARNING: This e-mail contained one or more attachments that have been identified as possibly carrying a virus. For more information, contact [email protected] or visit the following Web site:
http://uis.georgetown.edu/email/attachment.scanning.html
An attachment named New_MP3_Player.cpl posed a security hazard and was removed from this document. If you require this attachment, please contact the sender and arrange an alternate means of receiving it.
![Page 27: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/27.jpg)
27
The Implementation
Custom headers added:X-GU-FilterVersion: 1.25
X-GU-Filter-Warning: This message contained a dangerous attachment type
X-Scanned-By: MIMEDefang 2.39
Allows users to create filters to move/file messages with suspicious attachment types
![Page 28: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/28.jpg)
28
Results Over 1 Million suspicious attachment
types dropped to date Limited user complaints (but some did,
vocally) Email-borne virus infections dropped
almost to zero No more scrambling with each new virus I think we made the right choice, for now
![Page 29: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/29.jpg)
29
What’s to come? The Bad
More Windows CLSID viruses More social engineering, e.g. “Please re-name the file urgent.foo to urgent.exe, and open it for important information about Anna Kournikova.”
Other means of infection, e.g. hostile URLs The Good
More savvy, informed users More secure Operating Systems and email
clients
????
![Page 30: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/30.jpg)
30
Summary Sometimes you need that watershed
event for things to change Do the analysis and look at the
numbers – they may surprise you There no perfect or one-size-fits-all
solution For us, attachment filtering has been
very successful
![Page 31: Email Attachment Filtering: Strategies and Lessons Learned](https://reader035.vdocuments.mx/reader035/viewer/2022070404/56813a68550346895da26103/html5/thumbnails/31.jpg)
31
Any Questions?
Contact me:Brian Reilly<[email protected]>
More information:http://security.georgetown.eduhttp://uis.georgetown.edu/email/attachment.scanning.html