| Filename Policy
|
| Action
|
Rule
|
Report
|
Reason
|
| # Due to a bug in Outlook Express, you can make the 2nd from last extension be what is used to run the file. So very long filenames must be denied, regardless of the final extension. |
| deny |
.{150,} |
Very long filename, possible OE attack |
Very long filenames are good signs of attacks against Microsoft email packages |
| # These 3 are well known viruses. |
| deny |
pretty\s+park\.exe$ |
"Pretty Park" virus |
Pretty Park virus send a file with this name. |
| deny |
happy99.exe$ |
"Happy" virus |
Happy virus sends a file with this name |
| deny |
\.ceo$ |
WinEvar virus attachment |
Often used by the WinEvar virus |
| # These are known to be dangerous in almost all cases. |
| deny |
\.reg$ |
Possible Windows registry attack |
Windows registry entries are very dangerous in email |
| deny |
\.chm$ |
Possible compiled Help file-based virus |
Compiled help files are very dangerous in email.td> |
| deny |
\.cnf$ |
Possible SpeedDial attack |
SpeedDials are very dangerous in email |
| deny |
\.hta$ |
Possible Microsoft HTML archive attack |
HTML archives are very dangerous in email |
| deny |
\.ins$ |
Possible Microsoft Internet Comm. Settings attack |
Windows Internet Settings are dangerous in email |
| deny |
\.jse?$ |
Possible Microsoft JScript attack |
JScript Scripts are dangerous in email |
| deny |
\.lnk$ |
Possible Eudora *.lnk security hole attack |
Eudora *.lnk security hole attack |
| deny |
\.ma[dfgmqrstvw]$ |
Possible Microsoft Access Shortcut attack |
Microsoft Access Shortcuts are dangerous in email |
| deny |
\.pif$ |
Possible MS-Dos program shortcut attack |
Shortcuts to MS-Dos programs are very dangerous in email |
| deny |
\.scf$ |
Possible Windows Explorer Command attack |
Windows Explorer Commands are dangerous in email |
| deny |
\.sct$ |
Possible Microsoft Windows Script Component attack |
Windows Script Components are dangerous in email |
| deny |
\.shb$ |
Possible document shortcut attack |
Shortcuts Into Documents are very dangerous in email |
| deny |
\.shs$ |
Possible Shell Scrap Object attack |
Shell Scrap Objects are very dangerous in email |
| deny |
\.vb[es]$ |
Possible Microsoft Visual Basic script attack |
Visual Basic Scripts are dangerous in email |
| deny |
\.ws[cfh]$ |
Possible Microsoft Windows Script Host attack |
Windows Script Host files are dangerous in email |
| deny |
\.xnk$ |
Possible Microsoft Exchange Shortcut attack |
Microsoft Exchange Shortcuts are dangerous in email |
| # These 2 added by popular demand - Very often used by viruses |
| deny |
\.com$ |
Windows/DOS Executable |
Executable DOS/Windows programs are dangerous in email |
| deny |
\.exe$ |
Windows/DOS Executable |
Executable DOS/Windows programs are dangerous in email |
| # These are very dangerous and have been used to hide viruses |
| deny |
\.scr$ |
Possible virus hidden in a screensaver |
Windows Screensavers are often used to hide viruses |
| deny |
\.bat$ |
Possible malicious batch file script |
Batch files are often malicious |
| deny |
\.cmd$ |
Possible malicious batch file script |
Batch files are often malicious |
| deny |
\.cpl$ |
Possible malicious control panel item |
Control panel items are often used to hide viruses |
| deny |
\.mhtml$ |
Possible Eudora meta-refresh attack |
MHTML files can be used in an attack against Eudora |
| # Deny filenames ending with CLSID's |
| deny |
\{[a-hA-H0-9-]{25,}\}$ |
Filename trying to hide its real extension |
Files ending in CLSID's are trying to hide their real extension |
| # Deny filenames with lots of contiguous white space in them. |
| deny |
\s{10,} |
Filename contains lots of white space |
A long gap in a name is often used to hide part of it |
| # Deny all double file extensions. This catches any hidden filenames. |
| deny |
\.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ |
Found possible filename hiding |
Attempt to hide real filename extension |
| Filetype Policy
|
| Action
|
Rule
|
Report
|
Reason
|
| deny |
ELF |
No executables |
No programs allowed |
| deny |
executable |
No executables |
No programs allowed |
| deny |
MNG |
No MNG/PNG movies |
No MNG movies allowed |
| deny |
QuickTime |
No QuickTime movies |
No QuickTime movies allowed |
| deny |
Registry |
No Windows Registry entries |
No Windows Registry files allowed |
| SPAM Detection Lists
|
| Name
|
URL
|
| sbl-xbl.spamhaus.org |
http://www.spamhaus.org
|
| bl.spamcop.net |
http://www.spamcop.net/bl.shtml
|
| NJABL |
http://www.njabl.org/
|
| ORDB-RBL |
http://www.ordb.org/
|
| Other Policies
|
| Action
|
Name
|
Report
|
Reason
|
| deny |
Object Codebase |
Found dangerous Object Codebase tag in HTML message |
This open you to a number of Microsoft-specific security vulnerabilities |
| deny |
External Message |
Found dangerous External Message body in HTML message |
Only supported by Netscape 6. This is blocked because there is no way for us to protect you. |
