Restrictions on Delivering E-mail with Unsafe Attachments

by Clevin Wong

Unsafe attachments of e-mails may threaten the security or integrity of the recipient's computer when they are opened. For example, opening an e-mail attachment with extension such as ".exe", ".vbs" or ".scr" causes it to be executed as a program. Executing a malicious program may unleash harmful payloads (e.g. a computer virus) and damage your computer. Moreover, the virus writers may use tricks such as double file extensions (e.g. "readme.doc.exe") to disguise the malicious e-mail attachments.

In order to strengthen the protection against virus attack (especially for the brand-new viruses that may not be detected by the anti-virus software), we have enhanced and adopted the standard recommended by Microsoft on restricting the delivery of e-mail with "unsafe attachments". The central e-mail servers (staff, student and alumni) will reject and bounce back to the sender any e-mail having an attachment with any of the following "unsafe file extensions":

Microsoft Access project extension
Microsoft Access project
Microsoft Visual Basic class module
Batch file
Compiled HTML Help file
Microsoft Windows NT Command script
Microsoft MS-DOS program
Control Panel extension
Security certificate
Help file
HTML program
Setup Information
Internet Naming Service
Internet Communication settings
JScript file
Jscript Encoded Script file
Microsoft Access program
Microsoft Access MDE database
Microsoft Common Console document
Microsoft Windows Installer package
Microsoft Windows Installer patch
Microsoft Visual Test source files
Microsoft Visual compiled script
Shortcut to MS-DOS program
Registration entries
Screen saver
Windows Script Component
Shell Scrap object
Shell Scrap object
Internet shortcut
VBScript file
VBScript Encoded script file
VBScript file
Windows Script Component
Windows Script file
Windows Script Host Settings file

If you need to send an e-mail with an "unsafe attachment" (e.g. X.exe), you should use either one of the following methods and notify your receiver:

  1. Post the file on the Web. You can post the file on a Website and tell recipients where they can download it. (This method is especially appropriate for distributing a file to many recipients.)
  2. Compress the file. For example, using WinZip to compress X.exe into (This method also decreases the file size).
  3. Rename the file. For example, rename X.exe into X.exe_tmp. You can include instructions in the message body so that the recipient can restore the original name of the file.

If you need to receive an e-mail with an "unsafe attachment", you should also request the sender to use the above convention or method.

Note: The current list of unsafe file extensions is adopted from Microsoft. Users can refer to the following articles from the Microsoft Knowledge Base: 262617, 290497, 291369. This list may be updated from time to time.