Best Practices for E-Mail Attachments

 

ABOUT E-MAIL ATTACHMENTS

A popular use of e-mail is to distribute computer files (i.e., text files, documents, spreadsheets, PDF's).  This is accomplished by "attaching" a file to an e-mail message and then sending the file with the message, to a recipient.  Virtually any kind of computer file can be attached to an e-mail message for transport.

Unfortunately, this functionality creates an opportunity for distribution of malicious files (viruses, worms, and trojans). Older e-mail programs often opened files attached to messages automatically, as a convenience to the user. This caused infections without any user intervention.  Newer e-mail programs don't normally open attachments automatically, so other methods have been employed to entice (convince) the recipient to open attachments manually.  This is called "social engineering", an attack designed to make you take an action (in this case, to click on the attachment).  Attackers are constantly coming up with new social engineering tactics to trick users into starting (opening) malicious programs!!!

Some recent social engineering tactics using e-mail are:

A recommended best practice is to NEVER distribute an executable program as an e-mail attachment.  An attachment that is executable is a program, rather than a text file or a document.  It is something that "runs" when you click on it (start it).  Methods other than e-mail are available to safely share programs with others (see "Options for Sharing Executable Programs", below).

How do we know if an attachment is "executable"?

File names are very important because that is how the computer knows what to do with the file.  For example, documents are named with a three-letter extension of ".doc", which the computer knows to open using Microsoft Word.  Other extensions, such as ".exe" tell the computer the file is a program that will run by itself when its clicked.  There are many file types and program associations on every computer.  If your computer doesn't know what to do with a file (it has no association), the computer will prompt you to select the correct program to open it.

COMPUTER PROTECTION FROM MALICIOUS E-MAIL

To help secure the University's computers, the following protections are being implemented:

  1. All in-coming messages are scanned for known viruses, worms, trojans, etc.  If malicious code is detected the entire message is discarded at the campus e-mail gateway.  In addition, if a file attachment is encrypted, or if it is password protected, and therefore cannot be examined for malicious code, it will be discarded. (Examples are encrypted .zip files, and password protected office productivity files.)
  2. Any message that is not a known problem, but has a "dangerous" (executable) attachment,  will have the attachment deleted before the message is delivered.  Text will be inserted into the message stating the attachment has been removed.

 File names (with these three-letter extensions) will NOT be delivered with e-mail:  .ade, .adp, .ani, .app, .bas, .bat, .chm, .cla, .class, .cmd, .com, .cpl, .crt, .csh, .eml, .email, .exe, .fxp, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .ksh, .lnk, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msi, .msp, .mst, .ocx, .ops, .pcd, .pif, .prf, .prg, .reg, .scf, .scr, .sct, .shb, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .xsl  

  1. Any message that is not a known problem, which has an attachment that is not considered "dangerous" will be delivered intact. This includes messages with office productivity files (documents, spreadsheets, etc), text files, and other files attached that are not executable. 

Options for Sharing Executable Programs: 

Copyright © 2005 The University of Iowa. All rights reserved.