Announcements

Date: Friday, October 10th, 2003

To: Members of the MIT Community

From: Information Systems

Subject: E-mail Attachments
         Change in practice for executable attachments sent via
         MIT's Mail System


--------------------

Commencing Monday, October 27th, the MIT Mail System will no longer
distribute *executable* e-mail attachments.  Executable e-mail
attachments are those e-mail attachments which self-execute upon
receipt prior to the recipient launching the attachment.  This change
in policy is necessitated by the growing trend to exploit operating
system and application security flaws through the active distribution
of *executable* e-mail attachments. Executable e-mail attachments
carrying worms and viruses tend to be destructive and fast moving with
considerable impact on Institute resources and productivity. The
distribution of non-executable e-mail attachments, such as, Word
documents, spreadsheets, Power Point presentations, etc. will continue
uninterrupted.

Colleagues needing to exchange executable files should consider
alternatives beyond e-mail, such as, file transfer protocol (FTP).
Information Systems supports several secure FTP options and more
complete information is available at:
<  http://mit.edu/is/topics/filetransfer  >
Continued exchanging
executable files through the MIT Mail System will require packaging
them in advance (by zip, tar, etc.).

A website has been established highlighting helpful information,
including, the list of executable extensions which will be filtered:

Mail Hub Attachment Filtering,
<  http://mit.edu/services/mail/attachments.html  >

Our decision to reject e-mail with executable attachments has been
made after careful consideration and is in alignment with industry
practices (large mail system providers, other universities and
Internet Service Providers (ISPs)). E-mail rejected because of an
executable attachment will not be delivered and a corresponding note
will be returned to the sender acknowledging their e-mail was not
delivered per our e-mail operating policy. We hope that by placing
this practice in place now, our Community can be given adequate time
to adapt to this change and not be required to adopt such a transition
amidst a virus or worm outbreak.

Please help us share this information throughout the Community prior
to Monday, October 27th. Should you have any questions or concerns,
please let me know.

----------------------

Mail Hub Attachment Filtering

Computer viruses are often spread by self-executing programs sent to users via e-mail. These self-executing programs are transferred as attachments to e-mail messages, which are opened automatically by e-mail clients such as Microsoft Outlook, and once infected a user's computer spreads the virus onward to other machines across the internet.

To help prevent the spread of viruses and protect Insitute productivity and resources, Information Systems has elected to prevent *executable* attachments from passing through the MIT Mail system beginning October 27th 2003. Executable programs are identified by their three letter filename extension. All attachment extensions will be assessed and an *executable* extensions will be rejected, regardless of the Operating System of the originating computer. Listed below are three letter extensions not currently being accepted by the MIT Mail Hubs.

Mail Hub Attachment Filtering Process

• The Mail Hub examines the incoming and outgoing mail messages to see if they contain attachments
• Should an attachment be found in a message, the Mail Hub wil check whether the attachment's filename extension is in the list of "dangerous types"
• Should any such attachment be found the e-mail message is rejected and returned to sender
• The sender will receive an error message along with the original message indicating why it was rejected
• At no time is any attachment content scanned or attachments kept after being identified as possibly dangerous

List of Dangerous Three Letter Extensions

• ade
• adp
• bas
• bat
• chm
• cmd
• com
• cpl
• crt
• eml
• exe
• hlp
• hta
• inf
• ins
• isp
• jse
• lnk
• mdb
• mde
• msc
• msi
• msp
• mst
• pcd
• pif
• reg
• scr
• sct
• shs
• url
• vbs
• vbe
• wsf
• wsh
• wsc

Notes

Attachment blocking is not a 100 percent reliable method of protection against viruses and security vulnerabilities. There are ways of encoding attachments that will manage to evade these tests, such as encoding the filename with non-English characters. The list of "dangerous three letter extensions" will be updated as the need arises.

The file types which are no longer being accepted should not cause users problems. Should users need to have files of these types delivered by mail, they are encouraged to package the file using a compression tool such as tar or zip before sending, or they are encouraged to seek alternative file transfer methods such as FTP or the Web. Further information about secure file transfer solutions is made available via the Information Systems web site Secure File Transfer at MIT

Files generated by Microsoft Office products ie: Word, Power Point or Excel documents are not affected by this change.