This has long been on the feature request list: attachment types. We’ve implemented some code to start this off with checking a static list of attachment extensions to reject. In addition to this list we’ll also be rejecting double extensions (like .exe.zip) and extensions with non-alphanumeric characters. Right now we’ve just deployed this as logging only to observe the results before switching on the rejecting portion of the code.
The rejected list of extensions will be:
chm, ade, adp, app, asp, bas, bat, cab, cer, chm, cmd, com, cpl, crt, csh, der, exe, fxp, gadget, hlp, hta, inf, ins, isp, its, js, jse, ksh, lib, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msh, msh1, msh2, mshxml, msh1xml, msh2xml, msi, msp, mst, ops, pcd, pif, plg, prf, prg, pst, reg, scf, scr, sct, shb, shs, sys, ps1, ps1xml, ps2, ps2xml, psc1, psc2, tmp, url, vb, vbe, vbs, vsmacros, vsw, vxd, ws, wsc, wsf, wsh, xnk
In the future we will expand this in the account control center by allowing this feature to be disabled, add custom extensions to the list, and an inverse option of reject all extensions except a list of approved ones (as defined by the user). For now, contact support to request deactivation of this feature if you don’t want it applied to your domains.
UPDATE: Attachment extension name blocking is now live.
UPDATE July 7, 2016: We’ve added “docm”, “xlsm”, and “pptm” to the list.