Processing application requests in the global.asax and validating the request for upload at that time.
The supported file extensions in Episerver can be seen here.
Find a database of signature codes (that is up-to-date) and build a dictionary or list to check against. For example: http://www.filesignatures.net/index.php
There are many discussions on this as seen here. This would allow a developer to read the file for the header rather than evaluating the extension, but there is more on that.
Additional security post upload can be looked at in a custom media handler, as seen here.