Email Attachment Filtering: Strategies and Lessons Learned

1
Email Attachment Filtering Strategies and
Lessons Learned

• Brian Reilly
• Georgetown University, UIS
• reillyb_at_georgetown.edu
• http//security.georgetown.edu

2
Overview

• Introduction
• Whats the problem?
• What did we do?
• What did we learn?

3
A bit about me

• 6 years at Georgetown
• Security guy, not an email guy
• Pine is my email client of choice (so whats all
  this fuss about clicking on attachments?)

4
Once Upon a Time

• Historically, very little filtering done
• Last resort, only in the event of negative impact
  on server or service
• sendmail.cf modifications for Melissa (ca. 1999)
  and ILOVEYOU (ca. 2000)
• Viruses typically addressed by desktop AV
  software.

5
Jump to the Present

• Multiple years of many, many email viruses
• Multiple years of users clicking on many, many
  infected attachments
• Client-side AV software is good, but its not
  solving the problem.

6
Current Email Architecture

• Sun IMS IMAP Store access via IMAP/SSL
• IMS Webmail via HTTPS
• Multiple external MTAs running freeware Sendmail
• Multiple internal MTAs running freeware Sendmail
  STMP AUTH over SSL required
• 300K-500K inbound messages delivered a day

7
Current Email Architecture
8
The Problems

• Same recommendations for each new virus
• Configure AV software to auto-update daily
• Enable automatic file system protection
• Dont click on suspicious attachments
• Huge productivity losses
• Desktop and ResNet spending more than 50 of time
  on virus tickets
• Users impacted by system disinfection and/or
  re-building
• Users frustrated IT staff frustrated

9
The Problems

• Increased Risk
• Virus payload becoming more malicious
• SPAM proxies
• Network scanning
• File modification
• Keystroke monitoring

10
Solution Requirements

• Ideally fit well into existing architecture, with
  limited re-engineering
• Deliver legitimate attachments
• Protection from 0-day attacks
• Whats the exposure New virus - New Virus
  Definition released - Definitions Updated on
  Server
• Others saw up to a few thousand infected messages
  sneak in
• Paying 50K for a partial solution wasnt an
  option

11
Then W32.SoBig.F Hit

• August 2003
• Already dealing with Blaster, Welchia, and
  Back-to-School
• Many large messages clogging user Inboxes and
  affecting system performance
• Had to do something NOW
• Implemented MIMEDefang in a 48-hour period

12
What is MIMEDefang?

• From the FAQ
• MIMEDefang is a framework for filtering e-mail.
  It uses Sendmail's "Milter" API, some C glue
  code, and some Perl code to let you write
  high-performance mail filters in Perl.
• People use MIMEDefang to
• Block viruses
• Block or tag spam
• Remove HTML mail parts
• Add boilerplate disclaimers to outgoing mail
• Remove or alter attachments
• Replace attachments with URL's
• Freeware Similar commercial products available
  from Roaring Penguin Software
• http//www.mimedefang.org

13
MIMEDefang Take 1

• SoBig messages silently dropped
• Other suspicious attachments logged
• Worked well, but was a very reactive solution
• No protection against the next email-borne virus

14
MIMEDefang Take 2

• New filters added
• Additional requirements
• File names
• File sizes
• Hash Contents
• Worked OK, but prone to false negatives
• Non-trivial toll on system resources

15
Making the Case

• Ultimately left with a choice between non-perfect
  solutions
• Status Quo No filters
• No Messages or attachments dropped
• Viruses continue to be a huge burden
• Looming big incident
• Option 1 Attachment filtering
• Low Capital cost
• Protection from 0-day threats
• Potential impact on users and productivity, due
  to dropped legitimate attachments or inconvenience

16
Making the Case

• Option 2 Commercial Solution
• Significant capital expense
• Limited protection against 0-day
• May not fix the problem

17
Making the case

• Collected data over a 30-day period of normal
  usage
• 350K executable attachments logged
• Metrics
• Number of blocked known viruses
• Number of each executable attachment type
• Top file names by attachment type
• Frequency given a file size and attachment type

18
Some of the highlights
19
Top Filenames by Extension
.BAT
.PIF
.CMD
.SCR
.ZIP
.EXE
20
File Metrics Summary
21
File Metrics Summary
22
Its worth re-stating

• A minimum of 82 of the messages with .ZIP
  attachments processed during the observation
  period were generated by viruses.

23
The Outcome

• We went with Option 1
• MIMEDefang processes all incoming messages
• Slight modifications made to enhance performance

24
Filtered Attachment Types
25
Filtered Attachment Types
Based on http//support.microsoft.com/support/kb/a
rticles/Q262/6/31.asp
26
The Implementation

• Microsoft Type I attachment types and .ZIPs
  removed and replaced with a warning
• WARNING This e-mail contained one or more
  attachments that have been identified as possibly
  carrying a virus. For more information, contact
  help_at_georgetown.edu or visit the following Web
  site
• http//uis.georgetown.edu/email/attachment.scan
  ning.html
• An attachment named New_MP3_Player.cpl posed a
  security hazard and was removed from this
  document. If you require this attachment, please
  contact the sender and arrange an alternate means
  of receiving it.

27
The Implementation

• Custom headers added
• X-GU-FilterVersion 1.25
• X-GU-Filter-Warning This message contained a
  dangerous attachment type
• X-Scanned-By MIMEDefang 2.39
• Allows users to create filters to move/file
  messages with suspicious attachment types

28
Results

• Over 1 Million suspicious attachment types
  dropped to date
• Limited user complaints (but some did, vocally)
• Email-borne virus infections dropped almost to
  zero
• No more scrambling with each new virus
• I think we made the right choice, for now

29
Whats to come?

• The Bad
• More Windows CLSID viruses
• More social engineering, e.g. Please re-name the
  file urgent.foo to urgent.exe, and open it for
  important information about Anna Kournikova.
• Other means of infection, e.g. hostile URLs
• The Good
• More savvy, informed users
• More secure Operating Systems and email clients
• ????

30
Summary

• Sometimes you need that watershed event for
  things to change
• Do the analysis and look at the numbers they
  may surprise you
• There no perfect or one-size-fits-all solution
• For us, attachment filtering has been very
  successful

31
Any Questions?

• Contact me
• Brian Reilly
• More information
• http//security.georgetown.edu
• http//uis.georgetown.edu/email/attachment.scannin
  g.html