[Esd-l] NOTICE: you probably should add *.CPL to your
poison list
Rick Thompson
rthompson at rrmm.net
Thu May 6 06:56:52 PDT 2004
I think it would definitely be a great idea to have the option to disallow
by default, and use whitelisted extensions. I've always subscribed that
particular methodology.
-----Original Message-----
From: esd-l-bounces at spconnect.com [mailto:esd-l-bounces at spconnect.com]On
Behalf Of John D. Hardin
Sent: Thursday, May 06, 2004 9:15 AM
To: Rob Landry
Cc: Email Security Discussion list
Subject: Re: [Esd-l] NOTICE: you probably should add *.CPL to your
poison list
On Wed, 5 May 2004, Rob Landry wrote:
> Given that the wormmongers seem to be putting arbitrary suffixes
> on their payloads to get around filters such as Sanitizer, might
> it be time to switch to a system whereby all attachments are
> disallowed except those bearing an allowable suffix (.doc, .exe,
> .pdf, .mp3, etc)?
You can do this by setting your $MANGLE_EXTENSIONS thusly:
MANGLE_EXTENSIONS='((?!(?:jpg|gif|txt|mp3))[a-z0-9]+)|\{[-0-9a-f]+\}'
Extend the list of acceptable extensions as desired.
Note: I am still checking this against my set of test messages, but it
appears to be working well. I might add some simple scripting to allow
for a variable (maybe $ACCEPTABLE_EXTENSIONS) that, if present, would
override the default $MANGLE_EXTENSIONS as described above. Then you'd
be able to do something more friendly like:
ACCEPTABLE_EXTENSIONS="txt|jpe?g|gif|png|mp3|etc"
Comments solicited.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Bush? Kerry? I'm so sick of our elections always being "choose the
lesser of two evils."
-----------------------------------------------------------------------
180 days until the Presidential Election
_______________________________________________
Esd-l mailing list
Esd-l at spconnect.com
http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list