web mail attachment filtering
Results 1 to 10 of 10

Thread: web mail attachment filtering

  1. #1
    Junior Member
    Join Date
    Jul 2003
    Posts
    4

    Lightbulb web mail attachment filtering

    Greetings

    Please let me know how I can prevent users in my LAN from sending attachments with web emails like yahoo, hotmail,....

    i want to let them to read, get attachment and send emails but sending attachment is forbiden.

    Thanks
    Ali

  2. #2
    Senior Member VicE$DoS$'s Avatar
    Join Date
    Nov 2002
    Posts
    209
    Hi Sadjadieh,

    OK I'll start this off, Im sure one of the more experienced members of the community will give you some more precise advice but here goes:

    Because Yahoo and Hotmail are web (HTTP) based email programs you need to block files going out via http. (I think attached files are uploaded using HTTP and or FTP)

    Im not aware of any way this can be done with standard Micro$oft kit (assuming you are running MSProxy or similar)

    However I know that the following programs can definately block and control files outgoing ..

    Trend Micro.
    Interscan eManager (FTP, HTTP)
    ScanMail eManager (SMTP)

    Clearswift (Used to be Content)
    MailSweeper - (SMTP)
    Web Sweeper - (FTP, HTTP)

    Websense.
    Websense V5
    Client Application Manager (CAM)

    Alternatively a very easy way would be to block the users from yahoo.com, hotmail.com, freewebmail.com etc..... Heck you could be a complete Nazi and block them from the Web all together & disable HTML in emails and block out all natural day light!!

    Good luck on your quest.

    Cheers
    V$D$
    I remember when Nihil was ickle. Does that mean I'm old?

  3. #3
    Member
    Join Date
    Nov 2001
    Posts
    58
    sadjadieh, I use ISA Server on my company, if you're using it too, let us know, if I can't help, I'm sure someone here will be able to, or you can also check http://www.isaserver.org.

    But let us know what u use, to be able to help more...

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Hardware

    I block all outgoing FTP and TFTP at the firewall. Most people overlook TFTP because you need to manage switches and routers etc. But, some hackers are using it to pull their warez of the internet after they get access to something inside. Really though, if HTTP files transfers are important that means you have information that you don't want leaked out so why risk it?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Dear SecurityRangers,

    Thanks a lot. I use ISAserver. Also, i tested NetKeys from softappco.com that was great but slow the net. If I was sure that ftp port is used for sending attach, i would block it. Please let me know your comment.

    Thanks all
    Ali

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    sadjadieh.....
    email attachments still use port 25 (smtp send) or port 110 (pop receive)
    FTP (port 21) is not involved with email. FTP/TFTP are for transferring files directly between
    hosts/clients.

  7. #7
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    dcongram

    Thanks. The users in my LAN only want surfing internet and reading web-emails. Can I block all ports except HTTP(80) to be sure that no body send attachment?

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Well, this is far from a perfect solution but, I suppose you could let in only specific webmail providers and block the url of the "attach" cgi/script function they use...

    For example, if you check the html source in the attachment page for hotmail you'll find:
    Code:
    <form name="attach" method="POST" action="http://lw15fd.law15.hotmail.msn.com/cgi-bin/attach">
    and
    Code:
    <form name="doneattach" ENCTYPE="multipart/form-data" method="POST" action="http://lw15fd.law15.hotmail.msn.com/cgi-bin/doattach">
    So if you were to specifically block http://lw15fd.law15.hotmail.msn.com/cgi-bin/attach and http://lw15fd.law15.hotmail.msn.com/cgi-bin/doattach, it should prevent* users from uploading attachments.
    (* I don't know if hotmail's first part of the url (lw15fd.law15) changes with their load balancing or not... this might pose a problem if it does)

    Of course, using this technique, you would have to specifically inspect the html sources of all webmail sites you allow...(which implies you also have to blacklist all "non-approved" webmails, which quite a task in itself...).


    Like I said, not a perfect solution, but it's a start...


    Ammo

    Originally posted here by dcongram
    sadjadieh.....
    email attachments still use port 25 (smtp send) or port 110 (pop receive)
    FTP (port 21) is not involved with email. FTP/TFTP are for transferring files directly between
    hosts/clients.
    This is not relevent as the OP is refering only to webmail (implying everything over http)...

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Please let me know how NetKeys.exe from softappco.com works? that is great but only slows the line.

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Ummm... guys... as Ammo pointed out, "webmail attachments" are posted via a POST method in a form, often with ENCTYPE="multipart/form-data" and INPUT TYPE="file." About the easiest way to kill those is to setup a proxy and filter it (preferably a transparent proxy with something like squid (free) or Gauntlet or the like where all your web clients are forced through before they route to the Internet).

    You might also be able to use something such as an "ad filter" (something like "AdSubtract" for example) and convince it that these tags are an "advertisement" that it needs to kill... problem there being that clients local to the end-luser's box can often be disabled or otherwise circumvented (hence the proxy idea).

    ...but, if someone really wants to get out of your network, there's not really sh*t you can do about it, save setting about user authentication for every outgoing connection... even with only web access or SSL (or SMTP or ident or... blah blah blah), there's basically nothing stopping me from setting up an encrypted TCP tunnel out of your network to another host where I can route or proxy requests out as I see fit... typically the way many of us get around HTTP filters or similar, anyway.

    Hope this somehow helps...
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides