Comment On Please Bypass Security

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

This is only slightly idiotic. I'm willing to bet that the volume of viruses that's sent by automated mailers is very close to 100%. They wouldn't be able to read this message and act accordingly, thus the message wouldn't make it through. I suppose that the mail spammers could mangle the file extensions ahead of time to get them through, but that would then require the user going to great effort to save the file, rename it and run it.

Gmail works the same way with .exe files. It's just a simple protection against accidental execution.

webrunner:

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

Someone needs to come up with another way to compress files, maybe those GNU guys could figure something out.

Spam-based viruses have been getting around virus checking by sticking themselves in zip files, password protecting them, and including the password in the zip file. It's like a double reverse captcha.

Sadly, since the vast majority of people will still doubleclick "COOL_SCREENSAVER.JPG.EXE", it really does make sense to do asinine blocking.

I agree with db2. Changing the extension of a file would require the user to change it back and I doubt most of the people who open their "macro-laden Excel spreadsheet from their long-lost hig schol freind" know how to do that. But who knows ? Maybe soon enough, our "neighbour gal" will send us a "sexy.abc" file esking us to rename it to "sexy.exe" and run it to see her on her brand new webcam !

Plus, the advice to compress the file first is that often, new (and not so new) mail servers/proxy filter the attachments by looking what's in them (how often I have seen reg, exe and zip files rejected even after changing the extension...). There are even some servers/proxy that decompress archives, but that's less frequent.

"advise" -> "advice"

Why must I "Sign On"? Most every other site uses phrasal verb "Sign In".

Kokuma:

I agree with db2. Changing the extension of a file would require the user to change it back and I doubt most of the people who open their "macro-laden Excel spreadsheet from their long-lost hig schol freind" know how to do that. But who knows ? Maybe soon enough, our "neighbour gal" will send us a "sexy.abc" file esking us to rename it to "sexy.exe" and run it to see her on her brand new webcam !

Plus, the advice to compress the file first is that often, new (and not so new) mail servers/proxy filter the attachments by looking what's in them (how often I have seen reg, exe and zip files rejected even after changing the extension...). There are even some servers/proxy that decompress archives, but that's less frequent.

If you give them step by step instructions, about 75% will still try it. Of course 90% of them are so incompetent that they can't even follow the directions. They won't become the newest addition to your botnet, but they will fark themselves royally, then call up their good friend vt_mruhlin and ask him why their computer "suddenly" stopped working.
Those nefarious h4x0rz will take whatever wins they can get.

Kokuma:

Maybe soon enough, our "neighbour gal" will send us a "sexy.abc" file esking us to rename it to "sexy.exe" and run it to see her on her brand new webcam !

And some users would still do that, given the instructions.

Create an idiot-proof system and nature will create a better idiot. -- Murphy.

it's smart enough to recognize that the file isn't a compressed zip file by examining the file itself. It may be an executable guised as a zip....

naaaaaaaaaaahhh........

it just hates winzip, use winrar!

except that most people who would do this have file extensions hidden and so renaming it doesn't actually change the extension.... (well assuming the use xp onwards)

This isn't wtf-ish at all, actually, at least for my taste. Generally, you can be sure that worm- or virus-technology isn't as advanced yet to be able to understand an SMTP error reply (like this verbose one), but rather that the people being able to read (and understand!) this message will be users who have tried to send a file with the respective extension, and can try again in a different fashion.

So, basically, it's similar in style to greylisting: tell a person who tries to send you a mail that he should try again later, and those that understand what to do will do the right thing. Those that simply are too dumb (bots, virii, worms, spamware) to understand what they have to do to be let in: keep them out, because they're no MTA or human being.

The problem this is trying to work around are mail readers which automatically unzip .zip files when you receive them, without telling you what they're doing. Most e-mail programs don't do that anymore--but a few years ago there were a few which would automatically (and helpfully) execute code e-mailed to you without your manual intervention. (A few clients would go so far as to unzip the file by simply passing it to a call in Windows which would read the first few bytes and automatically "do the right thing." So if you have, say, "eviltrojan.exe", you'd just rename it "vacationpixs.zip", then the mail program would go "oh, I should unzip this for you"--pass it to Windows which would go "oh, wait--this really is an .exe; I'll run it rather than pass it to WinZip"--then without user intervention the program eviltrojan.exe would run.

By renaming the file extension, it bypasses the client mail servers from automatically executing received code without manual intervention--in this case, the intervention of having to rename the file back and executing the file automatically.

steve:

webrunner:

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

Someone needs to come up with another way to compress files, maybe those GNU guys could figure something out.

Erm... .tar.gz?

benk:

Gmail works the same way with .exe files. It's just a simple protection against accidental execution.

Yeah, a lot of email services work this way. Lame article.

Erm... *whoosh*?

Critter:

steve:

webrunner:

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

Someone needs to come up with another way to compress files, maybe those GNU guys could figure something out.

Erm... .tar.gz?

All the way over.
I did not think tar was GNU, sure a GNU client exists, but I think the the format existed before GNU.

Kokuma:

Maybe soon enough, our "neighbour gal" will send us a "sexy.abc" file esking us to rename it to "sexy.exe" and run it to see her on her brand new webcam !

Combining filter-avoidance techniques with social engineering like this is a well-known attack. They were being discussed at some length on the SecurityFocus VULN-DEV mailing list at least as far back as 2000 (the earliest I seem to have archives for).

Plus, the advice to compress the file first is that often, new (and not so new) mail servers/proxy filter the attachments by looking what's in them (how often I have seen reg, exe and zip files rejected even after changing the extension...). There are even some servers/proxy that decompress archives, but that's less frequent.

Most of the email virus scanners I'm familiar with decompress archives. There are attacks specifically against decompressing scanners (eg artificially-constructed nested archives, to overflow recursive decompressors, and archives that expand by many orders of magnitude to overflow temporary storage), because they're a prominent target.

What scanners generally cannot do is decompress encrypted archives, such as password-protected Zip files. (The Zip encryption scheme is relatively easy to break under the right conditions, but it's hard to automate that for the general case.)

In a 22 May 2000 post to VULN-DEV I suggested distributing malware as password-protected Zip attachments, with the password in the body of the message, and suitable text like:

S. Kiddy:

Here's the document I mentioned in my other note. Our email system won't let me send Word files out as attachments, even in a regular zip, so I had to put a password on this. It's just "password".

Even better is to generate a random-but-plausible password (selected from a dictionary, say) for each outgoing message, or batch of messages, to prevent email scanners from recognizing the same attachment in multiple emails.

I think I first saw this approach used in the wild about five years later; the script kiddies take a while to adopt new techniques.

Anybody tried bitflipping an attachment to beat filters that trap encrypted rar files with concealed names inside?

MichaelWojcik:

Even better is to generate a random-but-plausible password (selected from a dictionary, say) for each outgoing message, or batch of messages, to prevent email scanners from recognizing the same attachment in multiple emails.

Wouldn't a real random password be more plausible than one chosen from a dictionary?

vt_mruhlin:

Kokuma:

I agree with db2. Changing the extension of a file would require the user to change it back and I doubt most of the people who open their "macro-laden Excel spreadsheet from their long-lost hig schol freind" know how to do that. But who knows ? Maybe soon enough, our "neighbour gal" will send us a "sexy.abc" file esking us to rename it to "sexy.exe" and run it to see her on her brand new webcam !

Plus, the advice to compress the file first is that often, new (and not so new) mail servers/proxy filter the attachments by looking what's in them (how often I have seen reg, exe and zip files rejected even after changing the extension...). There are even some servers/proxy that decompress archives, but that's less frequent.

If you give them step by step instructions, about 75% will still try it. Of course 90% of them are so incompetent that they can't even follow the directions. They won't become the newest addition to your botnet, but they will fark themselves royally, then call up their good friend vt_mruhlin and ask him why their computer "suddenly" stopped working.
Those nefarious h4x0rz will take whatever wins they can get.

Dear HelpDesk,

I received the attached e-mail promising a good time, and I followed the instructions to rename and execute the file precisely. Unfortunately, it's now the only thing that works on my computer. Since I can't see the good pictures on my machine, I sent it to everyone else in the department to see if it would work on their computers. Sadly, the computer problem seems to be pervasive in our department, so I'm sending it on to everyone in the firm to see if any of THEM can get this thing to run.

Thanks,

Stu Piduser.

Yeah, the point of requiring the file to be renamed is that OS will execute the file based on how it's named. Renaming uglyassvirus.zip to uglyassvirus.txt will render that ugly ass virus useless to most people who would be stupid enough to click on it.

That said, it would render legitimate files useless, too, until the recipient renames it and then we're back to square one...

webrunner:

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

Umm... I'm pretty sure that was the WTF.

My university blocks most common file types by extension. Zip is blocked. Doc, Xls, Exe. Yeah. Great security.

.rar, .tar.gz and things that matter, they get through.

Here is the sad part though: I am in the compsci department. Although we run our own email servers(for now) the email still goes through the university level filters. Ok, no big deal. Except, 2nd and 3rd, even 4th year students can't seem to grasp the idea that their email will be filtered and that they should change the extension. Instead, every project due is met with a half dozen or so "Oh, I emailed it. You didn't get it"

Some profs have gone back to only accepting things on a floppy or cd.

So, in response, I wrote up a php page for submissions that versions all submitted files(SVN). Because the future programmers of the world can't rename zip files.

Yay.

Captcha: vern

A few clients would go so far as to unzip the file by simply passing it to a call in Windows which would read the first few bytes and automatically "do the right thing." --- Windows which would go "oh, wait--this really is an .exe; I'll run it rather than pass it to WinZip"

There is no such call in windows. Windows does the "right thing" based on the file extension, not the contents.

muhahaha:

Critter:

Erm... .tar.gz?

All the way over.
I did not think tar was GNU, sure a GNU client exists, but I think the the format existed before GNU.

tar existed before GNU. GNU-Zip did not.

Anonymous Legion:

except that most people who would do this have file extensions hidden and so renaming it doesn't actually change the extension.... (well assuming the use xp onwards)

XP hides known extensions only (by default?). RunMe.qlmf is still going to show up that way whether you have hiding on or off.

I've noticed that some of the most recent crop of email virus scanners are starting to pick up passwords by trying words in the vicinity of the word "password". I wonder if this is going to turn into a captcha game, where hackers get poetic: "The password is the color of a grassy field in springtime."

This is no WTF. Given that almost any malware is sent automatically a malware sender will not read the response from the mailer, but a human sender will. The human sender can react to the problem and resend the message.

Basically our Exchange-based company mail system works the same way. If you try to send a mail with a zipped attachment to a company account the mail will bounce, and a mail code is returned in the error message. When the sender resends the message and appends the mail code to the mail it message will be delivered.

db2:

This is only slightly idiotic. I'm willing to bet that the volume of viruses that's sent by automated mailers is very close to 100%. They wouldn't be able to read this message and act accordingly, thus the message wouldn't make it through. I suppose that the mail spammers could mangle the file extensions ahead of time to get them through, but that would then require the user going to great effort to save the file, rename it and run it.

+1 - this filters robot/auto and makes it a bgi PITA for legit stuff to get through.

Our system at my last job did something like this. It still delivers the email, but strips it of attachments with certain extensions. I remember getting a support request from somebody who desperately needed us to recover the stripped attachment. We told him there was no way to, because the stripped files are dropped on the floor, and not saved anywhere. We recommended that he ask the sender to re-send the file. His reply was something to the effect of:

"I am the sender, and no I cannot resend it because it has been erased. I sent it to my own email address to get it off of my old computer before I formatted the hard disk."

Ouch.

Tim Reynolds:

My university blocks most common file types by extension. Zip is blocked. Doc, Xls, Exe. Yeah. Great security.

.rar, .tar.gz and things that matter, they get through.

Most security is to protect stupid users. Doc, xls, and exe will block plenty of viruses and macros. How many users are smart enough to decompress a tar.gz file yet still dumb enough to run it?

akatherder:

Most security is to protect stupid users. Doc, xls, and exe will block plenty of viruses and macros. How many users are smart enough to decompress a tar.gz file yet still dumb enough to run it?

If you have WinZip installed, a tar.gz will have a WinZip icon, and you just double-click it. No neurons required at all. If you're hiding extensions, it does only hide the ".gz" part, though, so the file will appear as a ".tar" file.

When I started at my last job, they blocked everything with a .zip extension, since they hadn't bought the antivirus component for brightmail. I installed a proper antivirus checker on the mail server, and removed that restriction. These were researchers exchanging big chunks of data; they were being forced to tell their colleagues elsewhere to use .zap (or something similar).

Of course, old habits die hard, and even though the restriction is gone, they still do it.

The Real WTF is that no one seems to have noticed that Excite.com got blamed for this when it's really Yahoo!

From the Header:
From: MAILER-DAEMON@yahoo.com

And from the Body:
Hi. This is the qmail-send program at yahoo.com.


Just like my goddamned customers...no one reads the error message. They just call and have me tell them to read it.

:^)

Rick:

The Real WTF is that no one seems to have noticed that Excite.com got blamed for this when it's really Yahoo!

From the Header:
From: MAILER-DAEMON@yahoo.com

...

Just like my goddamned customers...no one reads the error message. They just call and have me tell them to read it.

:^)

Indeed, no one reads the message:
"Remote host said..."

No, yahoo is complaining that excite rejected it for those reasons.

pinkduck:

Why must I "Sign On"?

Because you're about to be fired for wasting all your time at work reading TDWTF!

<brrr-dumf-TISSSH!>

Tim Reynolds:

Here is the sad part though: I am in the compsci department. Although we run our own email servers(for now) the email still goes through the university level filters. Ok, no big deal. Except, 2nd and 3rd, even 4th year students can't seem to grasp the idea that their email will be filtered and that they should change the extension. Instead, every project due is met with a half dozen or so "Oh, I emailed it. You didn't get it"

Some profs have gone back to only accepting things on a floppy or cd.

So, in response, I wrote up a php page for submissions that versions all submitted files(SVN). Because the future programmers of the world can't rename zip files.

They're perfectly able to rename zip files - don't you recognize a "the dog ate my homework" or "the cheque's in the post" excuse when you hear it?

Get some help from your friendly neighbourhood admin to access the server logs, then next time one of them says "Oh, I emailed it. You didn't get it", you can say either "No, you didn't, you're just plain flat-out lying", or "Yes, and you got a bounce message telling you it hadn't gone through, which you either ignored or were unable to read". Either way, whether for dishonesty, laziness, stupidity or illiteracy, they get a fail.

Pretty soon after that, you'll find their classmates will suddenly have miraculously worked out how to rename a file after all...

Tim Reynolds:

Here is the sad part though: I am in the compsci department. Although we run our own email servers(for now) the email still goes through the university level filters. Ok, no big deal. Except, 2nd and 3rd, even 4th year students can't seem to grasp the idea that their email will be filtered and that they should change the extension. Instead, every project due is met with a half dozen or so "Oh, I emailed it. You didn't get it"

Did you ever stop to think that maybe, just maybe, the students were using this as an excuse to get an unofficial extension?

Another method I heard of (I was never clever enough to use this one myself) was to send a deliberately sabotaged Word doc just before the deadline... "Oh, something must have gone wrong in the transmission... I'll send it again..."

benk:

Gmail works the same way with .exe files. It's just a simple protection against accidental execution.

It won't let you send/receive .zips that contain .exe either... Really annoying

Random832:

A few clients would go so far as to unzip the file by simply passing it to a call in Windows which would read the first few bytes and automatically "do the right thing." --- Windows which would go "oh, wait--this really is an .exe; I'll run it rather than pass it to WinZip"

There is no such call in windows. Windows does the "right thing" based on the file extension, not the contents.

Unfortunately, you're both wrong. The actual truth is that sometimes windows goes by the file extension, and sometimes it sniffs the start of the file to try and deduce the type, and sometimes it goes by the extension of the file but then the viewer it launches sniffs the start of the file, and it varies depending whether you launch something in explorer, or from internet explorer, and what internet explorer does varies according to the mime information and http headers, and .....

.. in other words, it's an inconsistent and unpredictable mess. And that's dangerous.

See http://seclists.org/bugtraq/2002/Feb/0327.html for an example. (There are more, but I happen to recall that one off the top of my head!)

I send ".renametozip" and ".renametoexe" files all the time.

java.lang.NullReferenceException:

Tim Reynolds:

Here is the sad part though: I am in the compsci department. Although we run our own email servers(for now) the email still goes through the university level filters. Ok, no big deal. Except, 2nd and 3rd, even 4th year students can't seem to grasp the idea that their email will be filtered and that they should change the extension. Instead, every project due is met with a half dozen or so "Oh, I emailed it. You didn't get it"

Did you ever stop to think that maybe, just maybe, the students were using this as an excuse to get an unofficial extension?

Another method I heard of (I was never clever enough to use this one myself) was to send a deliberately sabotaged Word doc just before the deadline... "Oh, something must have gone wrong in the transmission... I'll send it again..."

That's possible but knowing the caliber of CS students that I went to school with, I tend to believe that the students are too stupid to rename files.

Most of the students I know still use the "hide known file extensions" in Windows. So they are completely oblivious to any file extensions or how they work, what they mean, etc.

This is sad, but true.

I used to do so, but now my clients have so many different security configs and stuffs, that i just save the file on my web server and send them a link so they can download it the fucking way they want.

then a cron moves things into backup after a while or a few downloads.

Insane.

The real WTF here is that the mail server accepted the incoming email, and only THEN did it say "omigosh, there's a non-allowed extension on the attachment!" and then it had to send mail BACK to the original sender to let him know. You'd think that something like this would be fairly easy to spot while the delivery connection is still open, before a status message is sent back - why did the mail server respond to the client with an SMTP OK before bothering to check whether the message was really OK?

Accept-then-bounce is the scourge of the Internet. Its only useful purpose is to help spammers reach twice as many targets with no additional effort.

pinkduck:

Why must I "Sign On"? Most every other site uses phrasal verb "Sign In".

Also, I wish more sites realised that you "log in" to a site and have a "login" to do so.

Oh, and don't get me started on "click here"! I'm thinking of writing a book which has "Read Here" on the cover.

steve:

webrunner:

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

Someone needs to come up with another way to compress files, maybe those GNU guys could figure something out.

Those GNU guys have, see the "file" command. It doesn't matter what your file extension is. Programs detect the binary data inside.

So, use the "file" command on Linux/Unix to find out what content-type is in an attachment.

$ file ~/junk.dat
/home/user/junk.dat: POSIX tar archive

Windows users can tell each other in the e-mail message what the content-type is. Change the file extension, or use the "Open With..." menu item to unzip it.

The goal is to stop stupid browsers from auto-executing files based on extensions!

Actually yes. :)
Works like a charm. What also works usually is to break a file in two-three-four pieces, so they can be merged with the standard cmd piping/copy functionality.'

edit:
ok, this was in reply to the "anyone tried bitflipping" bit.

Of course, the *real* WTF is the fact that they're running qmail, rather than a modern MTA like Exim or Postfix. qmail is kinda dead at the moment, and is no longer updated (its last official release was in 1998, and its latest unofficial release [netqmail] was in 2004...)

Critter:

steve:

webrunner:

As another layer of insanity: it suggests that you compress your file, but doesn't let through .zip files.

Someone needs to come up with another way to compress files, maybe those GNU guys could figure something out.

Erm... .tar.gz?

Whoosh!