Restrictions on delivering email with unsafe attachments

Unsafe attachments of emails may threaten the security of the recipient's data when they are opened. For example, opening an email attachment with extension such as ".exe", ".vbs" or ".scr" causes it to be executed as a program. Executing a malicious program may unleash harmful payloads (e.g. virus, worm, spyware) and may damage/steal your data. Moreover, tricks such as double file extensions (e.g. "readme.doc.exe") may be used to disguise the malicious email attachments.

In order to strengthen the protection against virus/worm/spyware attack (especially for the brand-new virus/worm/spyware that may not be detected by the virus-scanning software), we have enhanced and adopted the standard recommended by Microsoft on restricting the delivery of email with "unsafe attachments". For any email having attachment(s) with any of the following "unsafe file extensions" as listed in Table 1, our mail servers will drop the unsafe attachment or entire email without prior notice.

.ade
.adp
.bas
.bat
.chm
.cmd
.com
.cpl
.crt
.exe
.hlp
.hta
.inf
.ins
.isp
.js
.jse
.lnk
.mdb
.mde
.msc
.msi
.msp
.mst
.pcd
.pif
.reg
.scr
.sct
.shs
.shb
.url
.vb
.vbe
.vbs
.wsc
.wsf
.wsh
Microsoft Access project extension
Microsoft Access project
Microsoft Visual Basic class module
Batch file
Compiled HTML Help file
Microsoft Windows NT Command script
Microsoft MS-DOS program
Control Panel extension
Security certificate
Program
Help file
HTML program
Set up Information
Internet Naming Service
Internet Communication settings
JScript file
Jscript Encoded Script file
Shortcut
Microsoft Access program
Microsoft Access MDE database
Microsoft Common Console document
Microsoft Windows Installer package
Microsoft Windows Installer patch
Microsoft Visual Test source files
Microsoft Visual compiled script
Shortcut to MS-DOS program
Registration entries
Screen saver
Windows Script Component
Shell Scrap object
Shell Scrap object
Internet shortcut
VBScript file
VBScript Encoded script file
VBScript file
Windows Script Component
Windows Script file
Windows Script Host Settings file

Table 1: List of unsafe file extensions

If you need to send an email with an "unsafe attachment" (e.g. ABCD.exe), you should use either one of the following methods and notify your receiver:

  1. Compress the file. For example, using WinZip to compress ABCD.exe into ABCD.zip. (This method also decreases the file size).
  2. Rename the file. For example, rename ABCD.exe into ABCD.exe_tmp. You can include instructions in the message body so that the recipient can restore the original name of the file.

Note:

  1. The current list of unsafe file extensions in Table 1 is adopted from Microsoft. Users can refer to the following articles from the Microsoft Knowledge Base: 262617, 290497, 291369 .
  2. The "list of unsafe file extensions" will be updated from time to time.

Return to University In-house Email Service FAQ page

csc@cityu.edu.hk