Mailtraq's Executable Attachment Policy
(found under Options | Incoming Mail | Options tab) allows the administrator to precisely control how Mailtraq treats executable attachments in e-mails.
Mailtraq can put a warning in the subject line and/or message header to indicate that the attachment is executable.
Mailtraq can rename the attachment to a non-executable name to prevent a user from accidentally running it. Users can manually rename the attachment after they are confident that it is safe.
Messages with executable attachments can be redirected to a specific mailbox for administrator inspection.
These features provide a remarkably effective anti-virus service. Although this mechanism will also trap executable attachments that are not viruses, it is a failsafe mechanism as it will stop real viruses (even those for which no detection has yet been written!).
Current research into Internet malware suggests that speed of infection across the Internet can be rapid, making it unlikely that anti-virus vendors will be able to provide a suitable update in time to prevent your systems becoming infected.
This research paper: "How to Own the Internet in your Spare Time", describes a mechanism whereby a worm uses a "strategy that could plausibly result in most of the vulnerable servers on the Internet being infected in tens of seconds." Whilst that particular example does not use an email-based delivery method, it serves to illustrate that you cannot rely on reactive signature-based anti-virus software to protect against all new threats.
The Anti-virus Test Center at the University of Hamburg, Germany, analyses the effectiveness of many anti-virus programs, and looks, amongst other issues, at their ability to detect new viruses not yet listed in their signature databases.
For example, when the Sobig virus was released, many users reported Mailtraq successfully intercepting the virus before their other anti-virus systems had released updates to catch the virus:
"Having just been inundated with 30-odd emails with what I presume is the w32.sobig.m virus, I was relieved to see Mailtraq rendered them all safe - we're still waiting for the virus update from Symantec, so well done Mailtraq!"
"Where else could you get so much reliability?"
This tab appears on the Email Attachment Policy dialog at Options | Incoming Mail, configures the behaviour of Mailtraq in regards to executable email attachments.
Enable this checkbox to change all executable attachment extensions to .TxT. This prevents a user from accidentally running it. Users can manually rename the attachment after they are confident that it is safe. The Executable File Types tab contains a user editable list of executable files searched for by Mailtraq.
Quarantine in this mailbox
Enable this checkbox to move emails with executable attachments to the selected local mailbox for further inspection.
Route to this address
This will force Mailtraq to route (rather than move) the message to an address or local user. A typical use would be to allow Mailtraq's comprehensive auto-response system to be triggered for custom handling of notification messages. (From build: 18.104.22.1682)
Put details in message header
Enabling this checkbox will create additional message headers detailing Mailtraq's actions on the email containing the executable attachments.
Put alert in subject line
The following line of text will replaced the subject line of the email containing the suspect attachment. The text can be adjusted as required, for example, to instruct users to rename the file.
Email Attachment Policy - Executable File Types tab
This tab appears on the Email Attachment Policy dialog and contains a wildcard list of file types Mailtraq will treat as executable. The list is user editable and can be set to include file types that are not in practice executable ( i.e. *.mpg, *.jpg, etc )
Email Attachment Policy - Allow Addresses tab
This tab appears on the Email Attachment Policy dialog and contains two lists of email addresses that are exempt from the email policy.
Allow executable attachments in messages from...
This is a list of trusted email addresses users are allowed to receive executable attachments from that are exempt from the email attachment policy.
If you want inbound messages from the Internet to be checked, but not outbound messages to the Internet, or between local users then enter your own local domain with a wildcard.
For example, if your local domain is: 'example.com'
then enter *@example.com in the 'from...' section.
A malicious email could be received with a spoofed local From: address
Allow executable attachments in messages to...
This is a list of trusted email addresses users are allowed to send executable attachments to that are exempt from the email attachment policy. Note: all recipients of the email must be listed for the email to be exempt from the attachment policy.
You can also use both the quarantine and the routing option.
Use Route to trigger auto-responders, etc, and Quarantine (store) so you can "resend*" the message, if after examination the attachment proves to be acceptable.
*Resend by right-clicking on the message in the Console Mailbox, then 'Resubmit to Router'.
Note that Routing replaces the message envelope with a new one while storing doesn't.
Be sure to set sensible Archive policies (deletion) on the quarantine and routed mailboxes to prevent messages from accumulating.