Date: Friday, October 10th, 2003 To: Members of the MIT Community From: Information Systems Subject: E-mail Attachments Change in practice for executable attachments sent via MIT's Mail System -------------------- Commencing Monday, October 27th, the MIT Mail System will no longer distribute *executable* e-mail attachments. Executable e-mail attachments are those e-mail attachments which self-execute upon receipt prior to the recipient launching the attachment. This change in policy is necessitated by the growing trend to exploit operating system and application security flaws through the active distribution of *executable* e-mail attachments. Executable e-mail attachments carrying worms and viruses tend to be destructive and fast moving with considerable impact on Institute resources and productivity. The distribution of non-executable e-mail attachments, such as, Word documents, spreadsheets, Power Point presentations, etc. will continue uninterrupted. Colleagues needing to exchange executable files should consider alternatives beyond e-mail, such as, file transfer protocol (FTP). Information Systems supports several secure FTP options and more complete information is available at: < http://mit.edu/is/topics/filetransfer > Continued exchanging executable files through the MIT Mail System will require packaging them in advance (by zip, tar, etc.). A website has been established highlighting helpful information, including, the list of executable extensions which will be filtered: Mail Hub Attachment Filtering, < http://mit.edu/services/mail/attachments.html > Our decision to reject e-mail with executable attachments has been made after careful consideration and is in alignment with industry practices (large mail system providers, other universities and Internet Service Providers (ISPs)). E-mail rejected because of an executable attachment will not be delivered and a corresponding note will be returned to the sender acknowledging their e-mail was not delivered per our e-mail operating policy. We hope that by placing this practice in place now, our Community can be given adequate time to adapt to this change and not be required to adopt such a transition amidst a virus or worm outbreak. Please help us share this information throughout the Community prior to Monday, October 27th. Should you have any questions or concerns, please let me know. ----------------------
Computer viruses are often spread by self-executing programs sent to users via e-mail. These self-executing programs are transferred as attachments to e-mail messages, which are opened automatically by e-mail clients such as Microsoft Outlook, and once infected a user's computer spreads the virus onward to other machines across the internet.
To help prevent the spread of viruses and protect Insitute productivity and resources, Information Systems has elected to prevent *executable* attachments from passing through the MIT Mail system beginning October 27th 2003. Executable programs are identified by their three letter filename extension. All attachment extensions will be assessed and an *executable* extensions will be rejected, regardless of the Operating System of the originating computer. Listed below are three letter extensions not currently being accepted by the MIT Mail Hubs.
Attachment blocking is not a 100 percent reliable method of protection against viruses and security vulnerabilities. There are ways of encoding attachments that will manage to evade these tests, such as encoding the filename with non-English characters. The list of "dangerous three letter extensions" will be updated as the need arises.
The file types which are no longer being accepted should not cause users problems. Should users need to have files of these types delivered by mail, they are encouraged to package the file using a compression tool such as tar or zip before sending, or they are encouraged to seek alternative file transfer methods such as FTP or the Web. Further information about secure file transfer solutions is made available via the Information Systems web site Secure File Transfer at MIT
Files generated by Microsoft Office products ie: Word, Power Point or Excel
documents are not affected by this change.