Bypassing Gmail Executable Blocking

“as a security measure to prevent potential viruses, gmail doesn’t allow you to send or receive executable files (such as files ending in .exe) that could contain damaging executable code.

gmail won’t accept these file types even if they are sent in a zipped (.zip, .tar, .tgz, .taz, .z, .gz) format. if this type of message is sent to your gmail account, it is bounced back to the sender automatically.

you can send and receive messages up to 10 megabytes (mb) total (including attachments). any message that exceeds this limit will not be delivered to your inbox and will be returned to the sender.”

(information from google)

recently i needed to send someone an exe file using my gmail account.
well, from the gmail faq quote above, you can understand that i can not send a windows executable file (or a file with .exe extension).

you may think that exe is out of the question… or is it? (muha muha muha .. sorry – Sunshine influenced me).

well it seems that exe files compressed with rar or ace are ignored. yep, i can use rar to compress an exe and send it to you using gmail. but checking if ‘elf’ binaries can be sent through gmail led me to an interesting conclusion:

do i really need rar?! all i need is to change the extension of the file and gmail will gladly accept it.

now you may ask yourself, why the hell am i writing this on my blog instead of notifying google?

well, i went to google contact us (took me a while to find it with all of the latest portal they giving us), and found a nice email: security@google.com. now when i sent this information (with more details, btw) to google, this was the reply:

from: “gmail team”
hello,

thanks for contacting us. we aren’t able to respond directly to inquiries
submitted to this email address.

please visit our help center at http://gmail.google.com/support/, or by
clicking ‘help’ at the top of any gmail page within your account. our help
center provides answers to the most commonly asked questions, and offers
information about gmail and all of its features.

if you are unable to log in to your gmail account, please follow the steps
to reset your password by clicking ‘forgot your password?’ on

http://gmail.google.com.

sincerely,

the gmail team

——
if you’d like to learn more about how gmail’s features work, check out the
gmail help discussion (http://groups.google.com/group/gmail-abcs) where
our users share helpful tips and tricks with one another.
——”

hey, i contacted security, not support ! so i said to myself, lets send this to the webmaster of gmail. well, addresses webmaster@gmail.com, security@gmail.com and webmaster@google.com do not exists! i received bounces back on all those emails…

the date of contacting them was: december 4th, 2005, and i waited until today to see maybe they will contact me… guess what… they did not.

so, i tried to do something else (that actually did not work o_o): i sent a virus without using the .exe extension. but it turns out the gmail antivirus actually found my virus (well, at least that!).
but then again i used some very old win32 virus :)

anyway, if any of you have 0-days out there to send using gmail, have no fear, because for now, gmail will not block it.

and for google, please make better ways for contacting you, and please do read things that may sounds like support request. or at least make a place to report bugs etc… even microsoft has one.

Share
  • http://www.whiteacid.org WhiteAcid

    I think what GMail aimed to do with the anti-EXE block (my own little moniker) was to prevent stupid people from running attachements. If you rename the exe to file.renametoexe, which is what I do, people have to manually rename that back to .exe and run it. Someone doing this wants to run your exe, they presumably know what it does.

    I think the security serves its purpose.

  • http://www.tuxq.com/ Steven

    They’re (obviously) using extensions to determine if the attachment is allowed, but it wouldn’t have anything to do with the anti-virus.. it’s likely non-discriminative. I tested this theory with a Win32 exe and changed the extension to .bmp and had no problems sending it through. Then, used a virus with a .bmp and it caught it immediately.

  • http://BeyondSecurity.com ido

    Well, I can think of several ways to exploit this issue. One hint is: Gmail also work as storage for many people …
    But there are many ways to take advantage of this issue.

  • Pingback: SecuriTeam Blogs » Thinking Different III

  • janantha

    Yes..whiteacid is correct.. I tried the renaming and it works fine.. Of course security is there to prevent from really bad things from happening ;) , got to live with it!

  • John

    I’ happy to read this article since I have been thinking of using encripted zip files to overcome the problem. This solution is much easier. Thank you!

  • Sergio

    Ciao!

    gmail attachment management is very silly!

    I tried to send an ascii file with .cmd extension, and it was blocked!!

    It is the only flaw of this great service!

  • http://www.michaeldallas.com Michael Dallas

    It’s moronic for people to send executables through email at all. If you need to transfer a file, put it on a server where users can download it. If executables had never been allowed through the email system in the first place, 99% of the problems with viruses would have been avoided.

  • siddharth

    “It’s moronic for people to send executables through email at all.”

    that is bullshit. not that i have an alternate solution.. but i do have to send and recieve flash files (the published versions are,god forbid, exe files) this extremely inconvenient when sending presentations back and forth!

  • pluygz

    old crap everyone know its

  • GL

    Take an ordinary jpg, zip it w/ a password, then try and send it as an attachment in gmail. It won’t work. Gmail says it’s an ‘executable’ – how ’bout testing your software you @#$% liberals at google.

  • me

    @GL

    You dont seem to be understanding. Google just checks the extension! If you take an ordinary jpg AND CHANGE THE EXTENSION to .zip (or even just add it, ie ordinary.jpg.zip) Google rejects it.

    Now, the real question is why we are responding to a 3 year old thread :)

    -me

  • Idahaidung Okpomontia

    domain key shows that mail originated from your server.

  • GL

    (1)
    ‘me’ said on 02-14-2008:
    “You dont seem to be understanding. Google just checks the extension!”
    No, that was NOT completely true as of ~Jan 2008. I have the documentation and the printscreens to prove it. Back in Jan 2008 I knew what I was talking about and I know what I’m talking about today. Google at that time was rejecting zip attachments that were password protected, because it could not ‘scan’ the contents. I documented that I could send a jpg inside a zip if there was no password, but the zip was rejected if it had a password. That has since changed.

    (2)
    I’m a software engineer with about twenty years’ experience and I know what I’m talking about and I don’t appreciate the “you don’t seem to be understanding” post. Please re-read my original post thoroughly this time. Google called a ‘jpg’ an ‘executable’ – on the screen via error dialog. A jpg is NOT an executable in the sense that an EXE is an executable. A jpg is data. And yes, poorly written microsoft code can be fooled by malicious ‘data’.

    (3)
    Again, google’s policies are ever-changing and today because of a question another user had I conducted further tests as a follow-up. After running eight controlled, logical tests: I can send an ordinary jpg as an attachment (we already knew that), I can send a jpg that is XP-zipped with no password, I can send a jpg that is XP-zipped WITH a password (google loosened this restriction sometime mid-2008), I cannot send an exe that is zipped, I cannot send an exe that is zipped with a password (already knew that), but I can send an exe that is renamed, then zipped either with or without a password (everybody already knew that).

    (4)
    When the exe was renamed to *.tmp, zipped, then sent through email, then downloaded again, then unzipped, the filedate was today, instead of the original 2004 filedate. This does not happen to the zip contents if it is *not* emailed.

    (5)
    How can you say google gmail merely ‘checks the extension’ when ordinary.jpg.zip (an ‘extension of ‘zip’) won’t go through but myfile.zip (a legitimate non-password zip file) will go through. Both have the extension of *.zip. The reason ordinary.jpg.zip isn’t accepted as an attachment is because gmail cannot ‘OPEN’ the ‘zip’ file.

    (6)
    Why are ‘we’ responding to 3-year old threads? Because google’s policies are ever-changing and people want to know what the @#$% is up with the policies at google. The liberals at that place are pro free speech oh, but wait we all have to be ‘watched’ to make sure we’re not sending EXEs in email. Not the right way to handle it google. Can’t you people at google just help users make sure they have antivirus software instead?

    (7)
    In conclusion, you misinterpreted what I was claiming back in Jan 2008 and today I found that to be quite annoying. Everyone knows that google employees vote 95% liberal, liberals preach ‘free speech’ then monitor and block email attachments in a hypocritical manner. That’s a point worth making. Thanks anyway.

    P.S. your blog ‘spell checker’ crashed when checking this post.

  • http://www.theoas.com gmail888

    Does anyone know how to contact a live person to give information to the gmail people? I would settle for a department that could actually be contacted and would actually respond with a non canned irrelevant response within 48 hours.

    For over a week I have been trying to set a filter and keep getting the message they will not accept an address with a space in it.

    Well the address does not have a space only a period(.) you know like mail.google.com, further more when when I experimented be deliberately leaving the period out and typed *****@**********.com I got the same inane message and then my suspicions were confirmed. That was a week ago,

    How do you get through the maze of closed loops to actually tell them about something that is not a known problem or an already reported problem?

    I retrieve important messages at the address I was trying to forward to.