Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

​Attachment Removal ​


Why does SLAC Remove Attachments from E-mail? SLAC's gateways scan e-mails for files which are executable or contain viruses, and when found, those files are stripped to protect SLAC's internal systems and users from malicious content. We had to start doing this because the virus/worm creators got clever enough to trick people into opening the attachments without really thinking about it. Also, sometimes we start getting infected attachments before the virus signature files have been updated. This file stripping has saved SLAC from infections on multiple occasions.  
 

For SLAC users who need to share executable files please use the file systems (Windows or Unix) instead of e-mail.  

In addition to the security reasons above, we need to restrict the unnecessary growth of your mailboxes due to attachments. 

How is it done?

After stripping the original attachment SLAC's e-mail system will then forward the original e-mail (with the content replaced with a text file) to the intended recipient so that they can evaluate whether they have a need to request the original content either from Mail-Admin, or from the original sender.  We have found that only the intended recipient can determine whether the e-mail was legitimate, or was instead intended to be malicious.
 
If you request an attachment from Mail-Admin it will be scanned and if no infection is found or suspected it will then be placed in either the Unix or Windows file system, and you will be notified as to where to pick it up from.
 
What is stripped?

You'll find several tables below with the various types of files we strip: file type; filename; subject. These lists could be somewhat out of date as we don't always remember to update this web page when updating the e-mail gateway rules.

File type Reason Date Added
*.???.exe The *.???.* style entries match against the "double extension" that some viruses use to trick users. Before 2007
*.???.lnk The *.???.* style entries match against the "double extension" that some viruses use to trick users. Before 2007
*.???.pif The *.???.* style entries match against the "double extension" that some viruses use to trick users. Before 2007
{* ntsecurity.net warning 05/02/02
ade Microsoft Level 1 "unsafe" 08/06/01
adp Microsoft Level 1 "unsafe" 08/06/01
app Microsoft Level 1 "unsafe" 07/28/03
bas Microsoft Level 1 "unsafe" 08/06/01
bat Microsoft Level 1 "unsafe" 08/06/01
chm Microsoft Level 1 "unsafe" 08/06/01
cla
Before 2007
class
Before 2007
cmd Microsoft Level 1 "unsafe" 08/06/01
com Microsoft Level 1 "unsafe" 08/06/01
cpl Microsoft Level 1 "unsafe" 08/06/01
crt Microsoft Level 1 "unsafe" 08/06/01
csh Microsoft Level 1 "unsafe" 07/28/03
dbp Visual Studio exploit - no patch available 03/06/06
​email ​Microsoft Outlook Express
exe Microsoft Level 1 "unsafe" 08/06/01
fxp Microsoft Level 1 "unsafe" 07/28/03
hlp Microsoft Level 1 "unsafe" 08/06/01
hta Microsoft Level 1 "unsafe" 08/06/01
inf Microsoft Level 1 "unsafe" 08/06/01
ins Microsoft Level 1 "unsafe" 08/06/01
isp Microsoft Level 1 "unsafe" 08/06/01
js Microsoft Level 1 "unsafe" 08/06/01
jse Microsoft Level 1 "unsafe" 08/06/01
ksh Microsoft Level 1 "unsafe" 07/28/03
lnk Microsoft Level 1 "unsafe" 08/06/01
mdb Microsoft Level 1 "unsafe" 08/06/01
mde Microsoft Level 1 "unsafe" 08/06/01
mdt Microsoft Level 1 "unsafe" 07/28/03
mdw Microsoft Level 1 "unsafe" 07/28/03
mid SANS.org warning 07/28/03
msc Microsoft Level 1 "unsafe" 08/06/01
msi Microsoft Level 1 "unsafe" 08/06/01
msp Microsoft Level 1 "unsafe" 08/06/01
mst Microsoft Level 1 "unsafe" 08/06/01
nws Badtrans worm 11/25/01
ocx
Before 2007
ops Microsoft Level 1 "unsafe" 07/28/03
pcd Microsoft Level 1 "unsafe" 08/06/01
pi W32/Palyh virus 05/21/03
pif Microsoft Level 1 "unsafe" 08/06/01
prg Microsoft Level 1 "unsafe" 07/28/03
rar Symantec AV buffer overflow 12/21/05
reg Microsoft Level 1 "unsafe" 08/06/01
scr Microsoft Level 1 "unsafe" 08/06/01
sct Microsoft Level 1 "unsafe" 08/06/01
shb Microsoft Level 1 "unsafe" 08/06/01
shs Microsoft Level 1 "unsafe" 08/06/01
sln Visual Studio exploit - no patch available 03/06/06
url Microsoft Level 1 "unsafe" 08/06/01
vb Microsoft Level 1 "unsafe" 08/06/01
vbe Microsoft Level 1 "unsafe" 08/06/01
vbs Microsoft Level 1 "unsafe" 08/06/01
wri DOE CIRC Warning (RT #162237) 02/27/09
wsc Microsoft Level 1 "unsafe" 08/06/01
wsf Microsoft Level 1 "unsafe" 08/06/01
wsh Microsoft Level 1 "unsafe" 08/06/01
​zip ​Password protected zip only. Round of malware via zip to SLAC week of 12/5/12​ ​12/13/12
​docm ​Microsoft Word Documents macro-enabled.  Per SN CHG0031694. ​08/12/16
​pptm ​Microsoft PowerPoint Documents macro-enabled. Per SN CHG0031694. ​08/12/16
  
Filename Reason Date Added
badass* Badass worm early 2001
cokegift* Joke.geschenk early 2001
garry.zip Bagle worm 7/21/04
happynewyear.jpg WMF vulnerability 12/28/05
message.zip worm 08/01/03
monopoly* Monopoly virus early 2001
photos.zip Mimail worm 11/03/03
prettypark* PrettyPark worm early 2001
readnow.zip Mimail worm 11/03/03
ska.* Happy99 worm early 2001
zipped_files* ExporeZip worm early 2001
  
Subject Reason Date Added
BubbleBoy is back! Bubbleboy virus early 2001
Choose Your Poison Sonic worm early 2001
new photos from my party! Myparty virus 01/28/02
Paid Survey Offer CIAC warning 03/15/01
*you have an E-Card from* Friendgreet worm 10/28/02