Email Attachment Filtering: Strategies and Lessons Learned
description
Transcript of Email Attachment Filtering: Strategies and Lessons Learned
Email Attachment Filtering: Strategies and Lessons
Learned
Brian ReillyGeorgetown University, [email protected]
http://security.georgetown.edu
2
Overview Introduction What’s the problem? What did we do? What did we learn?
3
A bit about me… 6 years at Georgetown Security guy, not an email guy Pine is my email client of choice (so
what’s all this fuss about clicking on attachments?)
4
Once Upon a Time… Historically, very little filtering done Last resort, only in the event of
negative impact on server or service sendmail.cf modifications for
Melissa (ca. 1999) and ILOVEYOU (ca. 2000)
Viruses typically addressed by desktop AV software.
5
Jump to the Present Multiple years of many, many email
viruses Multiple years of users clicking on
many, many infected attachments Client-side AV software is good, but
it’s not solving the problem.
6
Current Email Architecture Sun IMS IMAP Store; access via IMAP/SSL IMS Webmail via HTTPS Multiple external MTAs running freeware
Sendmail Multiple internal MTAs running freeware
Sendmail; STMP AUTH over SSL required 300K-500K inbound messages delivered a
day
7
IMAP Mail Store
External MTAExternal MTA
Internal MTA Internal MTA
GU Client GU Client
IMAP/SSL, HTTPS
SMTP AUTH/ SSL
Current Email Architecture
8
The Problems Same recommendations for each new virus
Configure AV software to auto-update daily Enable automatic file system protection Don’t click on suspicious attachments
Huge productivity losses Desktop and ResNet spending more than 50%
of time on virus tickets Users impacted by system disinfection and/or
re-building Users frustrated; IT staff frustrated
9
The Problems Increased Risk
Virus payload becoming more malicious• SPAM proxies• Network scanning• File modification• Keystroke monitoring
10
Solution Requirements Ideally fit well into existing architecture, with
limited re-engineering Deliver legitimate attachments Protection from 0-day attacks What’s the exposure: New virus -> New
Virus Definition released -> Definitions Updated on Server Others saw up to a few thousand infected
messages sneak in Paying >$50K for a partial solution wasn’t an
option
11
Then W32.SoBig.F Hit August 2003 Already dealing with Blaster, Welchia, and
Back-to-School Many large messages clogging user
Inboxes and affecting system performance
Had to do something NOW Implemented MIMEDefang in a 48-hour
period
12
What is MIMEDefang? From the FAQ:
MIMEDefang is a framework for filtering e-mail. It uses Sendmail's "Milter" API, some C glue code, and some Perl code to let you write high-performance mail filters in Perl.
People use MIMEDefang to:• Block viruses• Block or tag spam• Remove HTML mail parts• Add boilerplate disclaimers to outgoing mail• Remove or alter attachments• Replace attachments with URL's
Freeware; Similar commercial products available from Roaring Penguin Software
http://www.mimedefang.org
13
MIMEDefang: Take 1 SoBig messages silently dropped Other suspicious attachments
logged Worked well, but was a very reactive
solution No protection against the next
email-borne virus
14
MIMEDefang: Take 2 New filters added
Additional requirements• File names• File sizes• Hash Contents
Worked OK, but prone to false negatives
Non-trivial toll on system resources
15
Making the Case Ultimately left with a choice between non-
perfect solutions: Status Quo: No filters
• No Messages or attachments dropped• Viruses continue to be a huge burden• Looming “big incident”
Option #1: Attachment filtering• Low Capital cost • Protection from 0-day threats• Potential impact on users and productivity, due to
dropped legitimate attachments or inconvenience
16
Making the Case Option #2: Commercial Solution
• Significant capital expense• Limited protection against 0-day• May not fix the problem
17
Making the case
Collected data over a 30-day period of “normal” usage
~350K executable attachments logged Metrics
Number of blocked known viruses Number of each executable attachment type Top file names by attachment type Frequency given a file size and attachment
type
18
Some of the highlights
19
Top Filenames by Extension
276 body.bat
339 message.bat
568 document.bat
365 text.cmd
378 Message.cmd
741 document.cmd
1177 body.exe
1260 message.exe
2270 document.exe
4064 message.pif
7889 document.pif
14057 www.paypal.com.pif
3612 body.scr
3994 message.scr
7460 document.scr
16792 body.zip
33992 document.zip
39190 message.zip
.ZIP
.CMD
.EXE
.BAT .PIF
.SCR
20
File Metrics SummaryTotal Number of Files
Number of Unique Filenames
Extension File Size
9902 763 .exe 22528
10484 1414 .zip 22640
10834 1450 .zip 22646
11806 1329 .zip 22648
23811 975 .zip 22790
32272 2491 .scr 22528
34070 2624 .pif 22528
34964 1405 .zip 22642
21
File Metrics SummaryExtension Total # of Files
Logged# of Files in “Top 10 Filenames”
% of Files in “Top 10 Filenames”
BAT 3264 2467 75.58%
CMD 3424 3113 90.92%
COM 4688 511 10.90%
EXE 24575 9756 39.70%
PIF 55280 46852 84.75%
SCR 39834 31754 79.72%
ZIP 198002 164235 82.95%
22
It’s worth re-stating…
A minimum of 82% of the messages with .ZIP attachments processed during the observation period were generated by viruses.
23
The Outcome We went with Option #1 MIMEDefang processes all incoming
messages Slight modifications made to
enhance performance
24
Filtered Attachment Types.ade Microsoft Access project extension .adp Microsoft Access project .bas Microsoft Visual Basic class module .bat Batch file .chm Compiled HTML Help file .cmd Microsoft Windows NT Command script .com Microsoft MS-DOS program .cpl Control Panel extension .crt Security certificate .exe Program .hlp Help file .hta HTML program.inf Setup Information .ins Internet Naming Service .isp Internet Communication settings .js JScript file .jse Jscript Encoded Script file .lnk Shortcut .mdb Microsoft Access program .mde Microsoft Access MDE database .msc Microsoft Common Console document .msi Microsoft Windows Installer package
25
Filtered Attachment Types
.msp Microsoft Windows Installer patch
.mst Microsoft Visual Test source files
.pcd Photo CD image, Microsoft Visual compiled script
.pif Shortcut to MS-DOS program
.reg Registration entries
.scr Screen saver
.sct Windows Script Component
.shb Shell Scrap object
.shs Shell Scrap object
.url Internet shortcut
.vb VBScript file
.vbe VBScript Encoded script file
.vbs VBScript file
.wsc Windows Script Component
.wsf Windows Script file
.wsh Windows Script Host Settings file
.zip Compressed (ZIP) File Archive
Based on http://support.microsoft.com/support/kb/articles/Q262/6/31.asp
26
The Implementation Microsoft “Type I” attachment types
and .ZIPs removed and replaced with a warning:
WARNING: This e-mail contained one or more attachments that have been identified as possibly carrying a virus. For more information, contact [email protected] or visit the following Web site:
http://uis.georgetown.edu/email/attachment.scanning.html
An attachment named New_MP3_Player.cpl posed a security hazard and was removed from this document. If you require this attachment, please contact the sender and arrange an alternate means of receiving it.
27
The Implementation
Custom headers added:X-GU-FilterVersion: 1.25
X-GU-Filter-Warning: This message contained a dangerous attachment type
X-Scanned-By: MIMEDefang 2.39
Allows users to create filters to move/file messages with suspicious attachment types
28
Results Over 1 Million suspicious attachment
types dropped to date Limited user complaints (but some did,
vocally) Email-borne virus infections dropped
almost to zero No more scrambling with each new virus I think we made the right choice, for now
29
What’s to come? The Bad
More Windows CLSID viruses More social engineering, e.g. “Please re-name the file urgent.foo to urgent.exe, and open it for important information about Anna Kournikova.”
Other means of infection, e.g. hostile URLs The Good
More savvy, informed users More secure Operating Systems and email
clients
????
30
Summary Sometimes you need that watershed
event for things to change Do the analysis and look at the
numbers – they may surprise you There no perfect or one-size-fits-all
solution For us, attachment filtering has been
very successful
31
Any Questions?
Contact me:Brian Reilly<[email protected]>
More information:http://security.georgetown.eduhttp://uis.georgetown.edu/email/attachment.scanning.html