Can a firewall tamper with email attachments?

When you send an email, it doesn't go directly from the sender to the receiver. It is sent via a mail protocol (e.g. SMTP) to a mail server, which then routes it to the mail server responsible for the target address, or just stores it if the sender and receiver servers are the same. From there the target asks their mail server (via another mail protocol, e.g. POP3) for any new emails, and downloads it.

For example (domain names not accurate):

• Alice, whose email address is [email protected], wants to send an email to [email protected].
• Alice looks up the MX DNS entry for hotmail.com and gets mx1.hotmail.com, so she connects there and sends the email via SMTP, optionally via TLS for security.
• mx1.hotmail.com looks at [email protected] and finds the MX entry for gmail.com, which is mx1.gmail.com. The Hotmail server forwards the email along to Gmail.
• Bob checks his email. He talks to mx1.gmail.com via POP3, optionally over TLS, and gets the email.

This is an oversimplification, since the forwarding step often involves sending the email to a mail exchange gateway of some kind, which then selects which internal mail server it should be sent to.

Whilst the protocols involved may be encrypted, the emails and their attachments are not encrypted when they reach the mail server. At any point in this chain, the email contents could be inspected or modified. They may do some form of malware scan on the files, or strip attachments based on whatever policy they choose.

The standard way of preventing this is to use an email encryption scheme, e.g. GPG. This involves encrypting the data at the sender's end and decrypting it again at the receiver's end, with keys preshared via asymmetric cryptography.

Typical corporate firewalls will almost universally block or sandbox various types of email attachments. Typically they do it based on a combination of:

1. Simple type matching rules (.exe, .pdf...)

2. Some heuristic checking such as sourcing or destination based on feedback of subscribed blacklists.

3. Complete virus checking.

Note, it is not always the "firewall" that does this. Most of the time, it is a plugin or add-on device to the email gateway (egress and ingress). Various companies sell specialized devices.

Good ones, will notify the recipient and allow them to approve or disapprove the receipt of the attachment. Some just carte-blanche drop them. Some organizations (as it may appear in your case) have decided that pdf's are bad ju ju (smart organization, and are either just rejecting them outright, or scanning them heavily and blocking them.

As polynomial mentioned, you can attempt to get by this with fully encrypted email, however, I have found sometimes, this pegs on the alarms equally and will end up getting the whole email sandboxed.

Overall this is the weakness of these devices - they are essentially rule driven. A few of the better ones get some feedback cycle and do self modify a little, but still very slowly and still rather brittle. So these security devices tend to be over or under aggressive and as a result of that either worthless, or attackable.