Yahoo mail blocked me from sending a program I wrote, what can I do?

[yungman]

I wrote a small program that I want to email to someone, it got blocked siting it contain potential security issue! What can I do, I am sure people send .exe by email, or else how can programmers work at home! Please advice.

Thanks

 

[berkeman]

Yeah, my work e-mail blocks all *.exe, *.bat, *.scr, and other executable files. Sometimes you can just change the suffix to *.bin or something, and sometimes that works. But not always. Even putting the offending file in a zip file usually doesn't help, but you might try changing the suffix and putting it in a password-protected zip file -- maybe the e-mail server won't be able to check it for executable contents.

One option we use instead is to post it to a OneDrive folder, and give access to that folder to the person you want to get the file. Do you have a OneDrive account?

 

[jim mcnamara]

It is a security risk - as @berkeman points out. You need to consider that 99.99% of users on the internet are not programmers and could/would double-click an enclosed file that was executable - and effectively lose their computer.

Shared external sites like pastebin or external password protected cloud servers circumvent a lot of the problems. Sandbox computer systems with a proprietary OS/BIOS/platform are used to run scans on newly acquired files - for high security sites. If the code is executable it cannot run in the foreign environment regardless. Executable image files are indentifiable in the first few dozen bytes.

 

[Vanadium 50]

Put it on a USB key or SD card and mail it via the post office.

 

[berkeman]

Put it on a USB key or SD card and mail it via the post office.

https://www.deviantart.com/2dchew/art/Snail-Mail-175713890

 

[Vanadium 50]

But it will get there!

USPS First Class is pretty speedy, even with Covid. (Fewer commercial air flights) They say 1-3 days. Couple bucks for the card/stick, a buck to mail it, and the problem is solved.

 

[berkeman]

Not if @Borek finds it first!

 

[Borek]

You can try cloud storage like google drive, you can try wetransfer dot com.

If someone is paranoid about their security they won't use USB stick from you (google "USB killer").

Funny thing, The USB Stick Found in the Grass does contain several programs - these are just installation versions of free software that can be downloaded from the web. Technically one can use some of them to analyse stick content, but that wasn't my intent, they are there more to make the stick look like something really used to transfer data between computers. When there is no net access for whatever reason USB stick is sometimes the only way to go.

 

[yungman]

Yeah, my work e-mail blocks all *.exe, *.bat, *.scr, and other executable files. Sometimes you can just change the suffix to *.bin or something, and sometimes that works. But not always. Even putting the offending file in a zip file usually doesn't help, but you might try changing the suffix and putting it in a password-protected zip file -- maybe the e-mail server won't be able to check it for executable contents.

One option we use instead is to post it to a OneDrive folder, and give access to that folder to the person you want to get the file. Do you have a OneDrive account?

Thanks , wow, I did not know all this! I don't even know what is One Drive, my computer keep asking me on restart, I kept ignoring it. I have to look into this more. Do I have to pay for it?

I tried to change the extension, but it doesn't seems to allow me as there is not extension, it just said it's an application file and when doing rename, it just change the name.

 

[berkeman]

Thanks , wow, I did not know all this! I don't even know what is One Drive, my computer keep asking me on restart, I kept ignoring it. I have to look into this more. Do I have to pay for it?

I tried to change the extension, but it doesn't seems to allow me as there is not extension, it just said it's an application file and when doing rename, it just change the name.

Did you try the password protected zip file yet? It that doesn't work, then OneDrive or the other shared options or the snail thing look to be your only options...

 

[jedishrfu]

There was a famous case in IBM where a student wrote a Christmas tree program in Rexx and sent it to his fellow students. One of its features was reading your email contacts list and sending it to them.

The cascading resends put IBMs internal world wide network on life support and it had to be shutdown to purge the errant script.

Almost immediately, IBM allowed Rex scripts to be sent but munged the script extention from .exec to .cexe to avoid future executions.

https://en.wikipedia.org/wiki/Christmas_Tree_EXEC

I remember it well.

 

[yungman]

Did you try the password protected zip file yet? It that doesn't work, then OneDrive or the other shared options or the snail thing look to be your only options...

I looked up how to do password protected, I did it on the zip folder. But I don't have the password. I can open on my computer, but if I send it to someone, how is the other person going to open it?

I don't know how to use One drive yet, I can't even open the pdf file to read the instruction or anything as it complain my adobe cannot open it.

Thanks

 

[Borek]

I looked up how to do password protected, I did it on the zip folder. But I don't have the password. I can open on my computer, but if I send it to someone, how is the other person going to open it?

You define the password, how come you selected one but you don't know it?

You protect the zip file, then you can send the password in an email.

Honestly: I would never hire a programmer who doesn't understand such a basic things

 

[yungman]

You define the password, how come you selected one but you don't know it?

You protect the zip file, then you can send the password in an email.

Honestly: I would never hire a programmer who doesn't understand such a basic things

I am not a programmer and I am not particularly good with computers, this is all new to me. I just spent 4 months learning C++ only and wrote a program and try to send it to my grandson.

During the process of doing the password protect, it never ask me to set up a password. To be more specific, I went online to learn how to do it, it just right click folder, properties, advance and check the Encrypt contents to secure data, ok and apply. That's it, never ask me anything.

 

[Borek]

OK, I misread your opening post, I thought you were sending exe to a customer.

You are mistaking encrypting data on disk with protecting a zip file with password, these are two completely different things.

Google how to create a zip file. Zip file can be (doesn't have to be) protected with a password that you enter while creating it. That will be something you can send to someone and only people knowing password will be able to open.

 

[jedishrfu]

The trick is to zip the files you want to send and apply a password to the zip.

send the zip in one email or via a cloud service as zips over several megs may not be spendable by your email service. I think for google it’s 20 megs. Google will let you send a couple of pics but not over some internal meg limit Which isn’t well advertised.

when you send the password, send it in a separate email where you don’t use the password ie use pswd or p*ssw*rd or something like that so it’s not easily searchable.

to further protect it, you could send part of the password in one email and then call to provide the rest or even use a different email account when sending the password depending on how important protection is.

 

[yungman]

Sorry I did not come back till now, internet was down until now, ATT had problem in the whole area.

Can anyone suggest a zip program that has password capability? I am using 7-zip and I don't see an option of putting password. Sorry I am not very knowledgeable in all these, just trying not to be obsoleted like other senior citizens.

My program is only 32KB, so size is not an issue!. This is just a Directory program with name sorting just for practice using Class in C++, just want to email to my grandson(3rd yr CS major) what grandpa learned in 4 months. It's not any professional program.

thanks

 

[jedishrfu]

https://7ziphelp.com/password-protect-on-7zip

 

[yungman]

https://7ziphelp.com/password-protect-on-7zip

Thanks

I did not know to use "add to archive", I always use Add to "name.zip".

But sadly yahoo mail still refuse to send it out. But thanks for the advice. I learn something.

 

[jedishrfu]

Is it too big? or just the name?

Perhaps try an alternate file extension like rename it to .piz or .dat and see if it accepts it.

You can then have your friend rename it back to zip and then decompress it.

 

[yungman]

Is it too big? or just the name?

Perhaps try an alternate file extension like rename it to .piz or .dat and see if it accepts it.

You can then have your friend rename it back to zip and then decompress it.

Ha ha, no luck. I change to .doc and still got rejected.

No, the file is only 32K size to start. It's a really simple program, I am proud of it for only started studying for 4 months, but it's child's play for you guys!

Thanks

 

[berkeman]

But sadly yahoo mail still refuse to send it out. But thanks for the advice. I learn something.

Wow, you have the file in a password-protected ZIP file and it still can tell that it's an executable? Must be some security feature of ZIP files maybe.

Did you try renaming the file to *.bin instead? Also change the filename, as your e-mail server may be watching for you to try to send it with an altered suffix.

Change the filename to whatever, change the extension to .bin, ZIP it up with a password, and try that?

 

[yungman]

Wow, you have the file in a password-protected ZIP file and it still can tell that it's an executable? Must be some security feature of ZIP files maybe.

Did you try renaming the file to *.bin instead? Also change the filename, as your e-mail server may be watching for you to try to send it with an altered suffix.

Change the filename to whatever, change the extension to .bin, ZIP it up with a password, and try that?

I actually use two different yahoo mail, one with Chrome and one with Firefox and of different user names! I'll try .bin next.

Thanks

 

[yungman]

How do you professional programmers sent files? They are known to work at home particularly now, you must be sending programs back and fore to the company and to others. I thought this must be so so common thing to do!

 

[berkeman]

How do you professional programmers sent files? They are known to work at home particularly now, you must be sending programs back and fore to the company and to others. I thought this must be so so common thing to do!

Check it into BitBucket via VPN. Release final versions in Arena with ECOs via VPN. Post shared copies on shared drives on internal company servers via VPN from home.

(Or use the OneDrive trick that I suggested earlier)

 

[pbuk]

Wow, you have the file in a password-protected ZIP file and it still can tell that it's an executable? Must be some security feature of ZIP files maybe.

Did you try renaming the file to *.bin instead? Also change the filename, as your e-mail server may be watching for you to try to send it with an altered suffix.

Change the filename to whatever, change the extension to .bin, ZIP it up with a password, and try that?

No, Yahoo like most email providers simply rejects all password protected zip files. If it can't scan the file to see that it is likely not to be malware it will reject it. Changing the extension won't help.

Even if you do find a way to send it, it will almost certainly be caught by the receiving email server's malware filter.

Use OneDrive.

 

[jedishrfu]

Certain files can be identified by the first few bytes a so called file signature

https://www.garykessler.net/library/file_sigs.html

 

[sysprog]

You could use http://www.nirsoft.net/utils/xorfiles.html
It XORs two files, saving the result in a third file. For the second file, you can use any file of a non-blocked type, and of a length that is equal to or greater than that of the .exe file, e.g. a .jpg file.

Procedure:

download the zip file from http://www.nirsoft.net/utils/xorfiles.html
extract the zip file
then into the directory to which you've extracted the file:

copy your program.exe file
copy some other file of non-blocked type and of equal or greater length, e.g. image.jpg​

run xorfile.exe
in the popup box enter:

Filename 1: program.exe
Filename 2: image.jpg
Destination: program.dat​

send:

attachments:

program.dat
image.jpg​

the following instructions:

download the zip file from http://www.nirsoft.net/utils/xorfiles.html
extract the zip file
download the 2 attached files into the directory to which you've extracted the file
run xorfile.exe
in the popup box enter:

Filename 1: program.dat
Filename 2: image.jpg
Destination: program.exe​

Your recipient will then have a copy of your program.exe file.​

 

[Vanadium 50]

Is now the time to point out that if the program were mailed on Saturday the recipient would be getting it around now? Sometimes low tech is best.

 

[harborsparrow]

I zip the exe and use the free sendspace.com website to send it. The receiver must be willing to accept the file download by clicking a link in an email from sendspace.com. Useful both for exe file transfer and very big zip files.

 

[sysprog]

Is now the time to point out that if the program were mailed on Saturday the recipient would be getting it around now? Sometimes low tech is best.

I think that having a way to email files without the email provider snooping their contents and blocking the ones deemed to be possibly dangerous is useful.

USPS small package service is not an acceptable substitute for being able to send program files via email.

Back when I could just rename .zip or .exe file extensions, e.g. to .zip.dat or .exe.remove-this-extension and send them, I didn't mind gmail blocking files the extensions of which rendered them executable, but I think that if a recipient has to manually rename a file at the extension level (and go past the usability warning prompt for doing that) to get it to be executable or otherwise potentially dangerous, that's a sufficient safety mechanism against inadvertent or casual opening of a harmful email-attached file.

 

[pbuk]

You could use http://www.nirsoft.net/utils/xorfiles.html
It XORs two files, saving the result in a third file. For the second file, you can use any file of a non-blocked type, and of a length that is equal to or greater than that of the .exe file, e.g. a .jpg file.
...
Your recipient will then have a copy of your program.exe file.

That's only going to work if the munged .jpg file still parses as a .jpg otherwise any intelligent malware filter is going to see what you are trying to do.

The only way I know of to reliably send arbitrary binary files via email is by manually converting to and from hex at each end and sending as a text file.

But nobody sends exe files by email anyway, there are many ways you can put this on t'internet for downloading via either a protected or public link: OneDrive, Dropbox, attached to a Wordpress.org blog, GitHub releases...

 

[Vanadium 50]

USPS small package service is not an acceptable substitute for being able to send program files via email.

I was actually thinking first class mail. The point is to get some code to the guy's grandson. And we're talking about jpeg steganography?

 

[jedishrfu]

Is now the time to point out that if the program were mailed on Saturday the recipient would be getting it around now? Sometimes low tech is best.

There is a great story about TIme magazine shipping their content back and forth via courier to Hong Kong and New York for their Far East edition using a disk pack in the 1970's. A disk pack was a portable (it had a handle) magnetic storage device that weighed 10 lbs rather like a USB stick today.

Mgmt decided to speed up the process by using a satellite connection. However, the slow speed and error correction took more time than it did to just fly the courier to Hong Kong and back weekly and so they reluctantly reinstated the courier for a few more years.

 

[sysprog]

That's only going to work if the munged .jpg file still parses as a .jpg otherwise any intelligent malware filter is going to see what you are trying to do.

I just tried it and it worked $-$ I ran the procedure on everything.exe (a lightweight and fast directory search utility available at https://www.voidtools.com/downloads/ $-$ I use the portable version) with a pdf as the mask file and the destination file with a .dat extension. The filters look for 'signature' byte patterns to detect known possibly-dangerous file types; they don't reject 'bit soup' files.

The only way I know of to reliably send arbitrary binary files via email is by manually converting to and from hex at each end and sending as a text file.

That would work, but it's not the only way. You can use base64 encoding, for example, and the method decribed in my post #28 works fine.

But nobody sends exe files by email anyway, there are many ways you can put this on t'internet for downloading via either a protected or public link: OneDrive, Dropbox, attached to a Wordpress.org blog, GitHub releases...

I send .exe files now and then. For any non-third-party file, including .exe files, I normally would rather send an attachment than a link. I use google drive only when a file is too large for gmail or the number of recipients is more than a few.

 

[sysprog]

I was actually thinking first class mail. The point is to get some code to the guy's grandson. And we're talking about jpeg steganography?

USPS small package service is a 'species' of first-class mail $--$
from https://www.usps.com/ship/mail-shipping-services.htm:

First-Class Mail® is an affordable mail service for standard-sized, single-piece envelopes weighing up to 3.5 oz and large envelopes and small packages weighing up to 13 oz with delivery in 3 business days or less.​

​

(emphasis added)​

The method is not steganography; it's simply XOR masking -- if a .jpg file is used as the mask, it's sent without alteration. The .exe file is XORed against the mask file (of the same or greater length), and the resulting data file is sent along with the mask. Then at the receiving end, the data file is XORed against the mask file, and the result is the .exe file.

The method is the same as that used for a one-time pad cipher, except that it sends the mask file with the data file instead of by separate transmission, the mask doesn't have to be random, and it can be used more than once $-$ the goal here isn't imperviousness to cryptanalysis; it's getting past a filter by eliminating the characteristic patterns that the filter searches for.

For real one-time pad security, you could use two DVDs filled with identical random data, send one to your correspondent, and then send XOR-masked data files, each with an offset number for how far into the DVD was up next for use as a mask. Then a script could copy bytes from the DVD, beginning at the current offset, and running the length of the data file. The new offset for the next file to be sent, in either direction, would be the offset just used plus the length of the data file just sent. With a standard 4.6GB DVD, that would allow for 460 program or other files of 10MB length each, or a lot of smaller files.

 

[jedishrfu]

Perhaps we should be looking at google drive file sharing now. We wouldn't want to hide the data from the feds (who likely know about XOR masking already).

 

[sysprog]

Perhaps we should be looking at google drive file sharing now. We wouldn't want to hide the data from the feds (who likely know about XOR masking already).

The method described in my post #28 here is not secure against government cryptanalysis, and there are difficulties in practical implemention of genuine one-time pad cryptography, not the least of which is rapid and reliable generation of 'truly random' data.

 

[Vanadium 50]

The method described in my post #28 here is not secure against government cryptanalysis

It's OK. He's sending something to his grandson. It doesn't need to be secure against major world governments.

 

[berkeman]

I got an e-mail from a foreign government official (I'm not at liberty to say which country) requesting that I temporarily lock this thread for Moderation...

 

[PeterDonis]

I am sure people send .exe by email, or else how can programmers work at home!

You must be joking. The usual way of sharing source code is by distributed version control systems such as git. The usual way of sharing executables is by providing them via properly secured download links or packages shipped with operating systems. Nobody shares code or executables by email.

 

[berkeman]

You must be joking. The usual way of sharing source code is by distributed version control systems such as git. The usual way of sharing executables is by providing them via properly secured download links or packages shipped with operating systems. Nobody shares code or executables by email.

Well, to be fair. We used to do this all the time 5-10+ years ago in my company. But with more strict (and justified) security measures in place, we no longer can do that, so we use OneDrive or our internal servers, etc. to do it as I've already posted in this thread.

 

[jedishrfu]

As @berkeman has said in a prior post, it’s time to close off this thread. We have explored the breadth and depth of the problem and find that once we have over engineered our answers. We have given the OP multiple avenues to try out while his grandson is anxiously awaiting its arrival by email or snail mail.

As @PeterDonis has intimated professionals use professional methods while the rest of us use whatever works. Oh how times have changed in the software world from simple file backups to SCCS, RCS, CVS, SVN, and now GIT. For my own projects, I tend to use Google Drive for large zip files and email for scripts. I’ve not had a need to develop exe files in a long time But would likely use the drive approach to bypass the email block. The drive approach allows me to change the file while keeping the email reference intact.

Thank you all for contributing here and without further ado will close this thread forever.