[Esd-l] NOTICE: you probably should add *.CPL to your
poison list
John D. Hardin
jhardin at impsec.org
Thu May 6 06:15:23 PDT 2004
On Wed, 5 May 2004, Rob Landry wrote:
> Given that the wormmongers seem to be putting arbitrary suffixes
> on their payloads to get around filters such as Sanitizer, might
> it be time to switch to a system whereby all attachments are
> disallowed except those bearing an allowable suffix (.doc, .exe,
> .pdf, .mp3, etc)?
You can do this by setting your $MANGLE_EXTENSIONS thusly:
MANGLE_EXTENSIONS='((?!(?:jpg|gif|txt|mp3))[a-z0-9]+)|\{[-0-9a-f]+\}'
Extend the list of acceptable extensions as desired.
Note: I am still checking this against my set of test messages, but it
appears to be working well. I might add some simple scripting to allow
for a variable (maybe $ACCEPTABLE_EXTENSIONS) that, if present, would
override the default $MANGLE_EXTENSIONS as described above. Then you'd
be able to do something more friendly like:
ACCEPTABLE_EXTENSIONS="txt|jpe?g|gif|png|mp3|etc"
Comments solicited.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Bush? Kerry? I'm so sick of our elections always being "choose the
lesser of two evils."
-----------------------------------------------------------------------
180 days until the Presidential Election
More information about the esd-l
mailing list