1 / 31

Email Attachment Filtering: Strategies and Lessons Learned

Email Attachment Filtering: Strategies and Lessons Learned. Brian Reilly Georgetown University, UIS reillyb@georgetown.edu http://security.georgetown.edu. Overview. Introduction What’s the problem? What did we do? What did we learn?. A bit about me…. 6 years at Georgetown

solada
Download Presentation

Email Attachment Filtering: Strategies and Lessons Learned

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Email Attachment Filtering: Strategies and Lessons Learned Brian Reilly Georgetown University, UIS reillyb@georgetown.edu http://security.georgetown.edu

  2. Overview • Introduction • What’s the problem? • What did we do? • What did we learn?

  3. A bit about me… • 6 years at Georgetown • Security guy, not an email guy • Pine is my email client of choice (so what’s all this fuss about clicking on attachments?)

  4. Once Upon a Time… • Historically, very little filtering done • Last resort, only in the event of negative impact on server or service • sendmail.cf modifications for Melissa (ca. 1999) and ILOVEYOU (ca. 2000) • Viruses typically addressed by desktop AV software.

  5. Jump to the Present • Multiple years of many, many email viruses • Multiple years of users clicking on many, many infected attachments • Client-side AV software is good, but it’s not solving the problem.

  6. Current Email Architecture • Sun IMS IMAP Store; access via IMAP/SSL • IMS Webmail via HTTPS • Multiple external MTAs running freeware Sendmail • Multiple internal MTAs running freeware Sendmail; STMP AUTH over SSL required • 300K-500K inbound messages delivered a day

  7. Current Email Architecture

  8. The Problems • Same recommendations for each new virus • Configure AV software to auto-update daily • Enable automatic file system protection • Don’t click on suspicious attachments • Huge productivity losses • Desktop and ResNet spending more than 50% of time on virus tickets • Users impacted by system disinfection and/or re-building • Users frustrated; IT staff frustrated

  9. The Problems • Increased Risk • Virus payload becoming more malicious • SPAM proxies • Network scanning • File modification • Keystroke monitoring

  10. Solution Requirements • Ideally fit well into existing architecture, with limited re-engineering • Deliver legitimate attachments • Protection from 0-day attacks • What’s the exposure: New virus -> New Virus Definition released -> Definitions Updated on Server • Others saw up to a few thousand infected messages sneak in • Paying >$50K for a partial solution wasn’t an option

  11. Then W32.SoBig.F Hit • August 2003 • Already dealing with Blaster, Welchia, and Back-to-School • Many large messages clogging user Inboxes and affecting system performance • Had to do something NOW • Implemented MIMEDefang in a 48-hour period

  12. What is MIMEDefang? • From the FAQ: • MIMEDefang is a framework for filtering e-mail. It uses Sendmail's "Milter" API, some C glue code, and some Perl code to let you write high-performance mail filters in Perl. • People use MIMEDefang to: • Block viruses • Block or tag spam • Remove HTML mail parts • Add boilerplate disclaimers to outgoing mail • Remove or alter attachments • Replace attachments with URL's • Freeware; Similar commercial products available from Roaring Penguin Software • http://www.mimedefang.org

  13. MIMEDefang: Take 1 • SoBig messages silently dropped • Other suspicious attachments logged • Worked well, but was a very reactive solution • No protection against the next email-borne virus

  14. MIMEDefang: Take 2 • New filters added • Additional requirements • File names • File sizes • Hash Contents • Worked OK, but prone to false negatives • Non-trivial toll on system resources

  15. Making the Case • Ultimately left with a choice between non-perfect solutions: • Status Quo: No filters • No Messages or attachments dropped • Viruses continue to be a huge burden • Looming “big incident” • Option #1: Attachment filtering • Low Capital cost • Protection from 0-day threats • Potential impact on users and productivity, due to dropped legitimate attachments or inconvenience

  16. Making the Case • Option #2: Commercial Solution • Significant capital expense • Limited protection against 0-day • May not fix the problem

  17. Making the case • Collected data over a 30-day period of “normal” usage • ~350K executable attachments logged • Metrics • Number of blocked known viruses • Number of each executable attachment type • Top file names by attachment type • Frequency given a file size and attachment type

  18. Some of the highlights

  19. 3612 276 4064 365 16792 1177 body.bat body.scr text.cmd body.exe message.pif body.zip 3994 1260 7889 378 33992 339 message.bat Message.cmd document.pif message.scr document.zip message.exe 7460 2270 14057 741 568 39190 document.bat www.paypal.com.pif document.scr document.exe message.zip document.cmd Top Filenames by Extension .BAT .PIF .CMD .SCR .EXE .ZIP

  20. Total Number of Files Number of Unique Filenames Extension File Size 9902 763 .exe 22528 10484 1414 .zip 22640 10834 1450 .zip 22646 11806 1329 .zip 22648 23811 975 .zip 22790 32272 2491 .scr 22528 34070 2624 .pif 22528 34964 1405 .zip 22642 File Metrics Summary

  21. Extension Total # of Files Logged # of Files in “Top 10 Filenames” % of Files in “Top 10 Filenames” BAT 3264 2467 75.58% CMD 3424 3113 90.92% COM 4688 511 10.90% EXE 24575 9756 39.70% PIF 55280 46852 84.75% SCR 39834 31754 79.72% ZIP 198002 164235 82.95% File Metrics Summary

  22. It’s worth re-stating… • A minimum of 82% of the messages with .ZIP attachments processed during the observation period were generated by viruses.

  23. The Outcome • We went with Option #1 • MIMEDefang processes all incoming messages • Slight modifications made to enhance performance

  24. .ade Microsoft Access project extension .adp Microsoft Access project .bas Microsoft Visual Basic class module .bat Batch file .chm Compiled HTML Help file .cmd Microsoft Windows NT Command script .com Microsoft MS-DOS program .cpl Control Panel extension .crt Security certificate .exe Program .hlp Help file .hta HTML program .inf Setup Information .ins Internet Naming Service .isp Internet Communication settings .js JScript file .jse Jscript Encoded Script file .lnk Shortcut .mdb Microsoft Access program .mde Microsoft Access MDE database .msc Microsoft Common Console document .msi Microsoft Windows Installer package Filtered Attachment Types

  25. .msp Microsoft Windows Installer patch .mst Microsoft Visual Test source files .pcd Photo CD image, Microsoft Visual compiled script .pif Shortcut to MS-DOS program .reg Registration entries .scr Screen saver .sct Windows Script Component .shb Shell Scrap object .shs Shell Scrap object .url Internet shortcut .vb VBScript file .vbe VBScript Encoded script file .vbs VBScript file .wsc Windows Script Component .wsf Windows Script file .wsh Windows Script Host Settings file .zip Compressed (ZIP) File Archive Filtered Attachment Types Based on http://support.microsoft.com/support/kb/articles/Q262/6/31.asp

  26. The Implementation • Microsoft “Type I” attachment types and .ZIPs removed and replaced with a warning: WARNING: This e-mail contained one or more attachments that have been identified as possibly carrying a virus. For more information, contact help@georgetown.edu or visit the following Web site: http://uis.georgetown.edu/email/attachment.scanning.html An attachment named New_MP3_Player.cpl posed a security hazard and was removed from this document. If you require this attachment, please contact the sender and arrange an alternate means of receiving it.

  27. The Implementation Custom headers added: X-GU-FilterVersion: 1.25 X-GU-Filter-Warning: This message contained a dangerous attachment type X-Scanned-By: MIMEDefang 2.39 • Allows users to create filters to move/file messages with suspicious attachment types

  28. Results • Over 1 Million suspicious attachment types dropped to date • Limited user complaints (but some did, vocally) • Email-borne virus infections dropped almost to zero • No more scrambling with each new virus • I think we made the right choice, for now

  29. What’s to come? • The Bad • More Windows CLSID viruses • More social engineering, e.g. “Please re-name the file urgent.foo to urgent.exe, and open it for important information about Anna Kournikova.” • Other means of infection, e.g. hostile URLs • The Good • More savvy, informed users • More secure Operating Systems and email clients • ????

  30. Summary • Sometimes you need that watershed event for things to change • Do the analysis and look at the numbers – they may surprise you • There no perfect or one-size-fits-all solution • For us, attachment filtering has been very successful

  31. Any Questions? Contact me: Brian Reilly <reillyb@georgetown.edu> More information: http://security.georgetown.edu http://uis.georgetown.edu/email/attachment.scanning.html

More Related