Avatar of detox1978
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Send EXE via email

Hi All,

I want to test my email server to ensure it is blocking inbound .EXE files.

Does anyone know how i can send an .EXE to test it.  GMAIL and YAHOO wont let me send a test.

GmailEmail ServersEmail Software

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Favor

Just attach any file with a .exe extension.

https://jetmore.org/john/code/swaks/ provides an all purpose tool for exercising email servers...


To use SWAKS or any other test tool, you'll have to arrange to...

1) Send from an IP in your SPF record.

2) Add the correct DKIM signature, routing your message through your DKIM signing server... which is... only for the brave...

There may be other ways to achieve this... No way to tell without much more detail about your sending DNS setup...

Suggestion: Remove all SPF/DKIM/DMARC records, if you must do your test send from an oddball server.

Also be sure your server is on a hosting/provisioning company IP, as residential IPs are usually permanently RBL'ed.
David Favor

Simple Solution: Mention your target email address + someone can send your a message with a .exe attachment.
Dr. Klahn

Note:  Blocking of executable files is a band-aid that protects only recipients who click on it.  When it comes to sending executables by email, I guarantee that no matter what method the server uses to block incoming executables there is a way to get around it.

Block files with the EXE extension?  Rename the file extension

Block files with the EXE internal header?  Send it as a RAR.

Block RAR files?  Rename it to .JPG

Examine all files for file header types?  Send in two pieces, one with the payload randomly scrambled, and the second being the XOR of the executable and the scrambled file.

And there is always steganography.

So do not rely on blocking executables as anything other than a layer of paint on the house.  In the end the best defense is smart and suspicious employees.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

7z (7-zip files) are usually not scanned and/or allowed. Optionally password protect the content.

thanks for the feedback.

We have application allow-listing, so not thinking of the security side.  The issue is i regularly have to do cyber surveys, so need to test and prove it.

send a word doc or other OLE with macros and possibly embedded jscripts. google allows that. you will most likely confirm you can push through executables quite easily without a complacent user bothering to recompose it. actually many ransomware are transferred in this way.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.