locked
How to block attachments from email sent using browser? RRS feed

  • Question

  • Hi everybody,

    I want to develop one application that blocks any attachment from email sent using browser. Eg: I am in one organization and I am sending one file as an attachment from gmail. This should be reported to the administrator. I want some more ideas and path on how to develop this application. I have some ideas about how to develop this:

    1) The protocols that my computer is interacting with now can be shown using "netstat -an" command. PortQryUI and TCPView are other helpful tools that would help in expanding this idea and getting solution to this problem.

    2) Can this attachment be blocked using firewall? The SMTP commands can be parsed and blocked using firewall. The only thing is I don't know what protocols gmail, outlook, yahoo must be using to send emails from browser.

    Kindly help me in solving this problem.

    Thanks & regards,

    Talib Hussain.
    • Edited by talib2608 Tuesday, July 1, 2014 6:59 PM
    Tuesday, July 1, 2014 6:56 PM

All replies

  • This is a very difficult problem. You would have to parse and understand the HTTP traffic (because it won't be an email until after it hits the web server) and figure out how the various web-based email providers implement attachments. Then, what are you going to do about encrypted email?

    What problem are you trying to solve?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, July 2, 2014 1:13 AM
  • Hi Brain,

    I want to make an application that tells the name of attachment in an outgoing email.

    Wednesday, July 2, 2014 4:00 AM
  • That's not the problem you're trying to solve; that's a potential method for a solution. Are you looking for a particular type of attachment or any attachment? If you're trying to prevent certain files from being emailed, then I think a better solution would be a file system filter.

    Fundamentally, if you trust a person with a file but you want to prevent them from emailing it, you're going to fail because there are too many ways a determined user can get around such a proscription.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, July 2, 2014 4:07 AM
  • No, I am not looking for a particular type of file. If any type of file is sent in an email from a system, I want to tell the name.

    I just want to keep a tab on the files being emailed from a system by a user.

    Wednesday, July 2, 2014 4:24 AM
  • First, you're going to have to accept that there is no method that is 100% perfect, and that someone with enough skill of determination will be able to get past your filter. For example, there is no way you could prevent someone such as myself from emailing files. If you're OK with that, then I think a file system filter driver is what you want. I'd implement it such that if a file is being opened by one of the known browser processes then write an event to your logger. Of course, it would be rather easy to get around this, but if you're just trying to keep honest-people honest, then that is probably the simplest way.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, July 2, 2014 4:35 AM
  • If there is driver that dumps all the incoming and outgoing packets in a file and if I can parse that file, then is it possible that it can be known that a file was sent?
    Wednesday, July 2, 2014 5:17 AM
  • Your original question was about email sent using a web client. So, you get an HTTP stream (not an SMTP stream) that you would have to decode. Each web mail service will send attachments in a different way, and it would be trivial to create a web site that transferred data in a way that your parser wouldn't recognize. Then there is the problem of HTTPS; how will you decode it? There is no known solution to this problem - at least on a general purpose operating system. See Microsoft's 10 Immutable Laws of Security: Your data is only as secure as your people are trustworthy.

    As I wrote, you can catch most of this using a file system filter but that isn't 100% certain, either

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, July 2, 2014 6:09 AM
  • There are drivers that dump data sent using HTTPS also. So, if I use that driver to dump the data and then parse it, would that be a feasible solution or is there any other way as suggested in the post (the original question)?
    Wednesday, July 2, 2014 6:58 AM