SV: Double File Extensions

Anders Andersson, IT andersan at LTKALMAR.SE
Thu Jan 30 15:35:38 GMT 2003 

> -----Ursprungligt meddelande-----
> Från: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Skickat: den 30 januari 2003 16:25
> Till: MAILSCANNER at JISCMAIL.AC.UK
> Ämne: Re: Double File Extensions
> 
> 
> I have always put that one near the bottom as there is no 
> point in denying
> *.jan.txt, *.feb.txt, etc..

Shouldn't this be default for most extension.... I mean allowing
ie name.name.doc etc. etc.
I was supposed to have changed that to the default policy since users
some time do misstakes and no point blocking those.
Maybe you should consider that for all safe/normal files?
I cant say if that will cause probs with name.vbs.doc in 
windows computers... who know how it will execute that
but hopefully not.

/Anders


> 
> At 15:19 30/01/2003, you wrote:
> >Julian,
> >I've just read the messagelabs artice refered to in your 
> post, "Security
> >Alert, ban very long filenames" and I wondered, in light of 
> that, where
> >you think the rule contained in this following post (from 
> earlier this
> >week) should go?  I'm toying with the idea of moving it 
> above all the allow's
> >
> > > >In the process of testing, I found that a double extension
> > > can get through
> > > >if there is a space (or multiple spaces) between the first
> > > (fake) file
> > > >extension and the second (actual) file extension.  Since a
> > > space after the
> > > >fake file extension will probably be just as invisible as
> > > the actual file
> > > >extension, it could be a way to sneak past the filters while
> > > getting the
> > > >same nefarious effect.  I propose that by default the 
> last line in
> > > >filename.rules.conf be changed to:
> > > >
> > > >deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found
> > > possible filename
> > > >hiding  Attempt to hide real filename extension
> > >
> > > Good idea. It will be in the next release.
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > MailScanner thanks transtec Computers for their support
> > >
> >
> >
> >
> >BMRB International
> >http://www.bmrb.co.uk
> >+44 (0)20 8566 5000
> >_________________________________________________________________
> >This message (and any attachment) is intended only for the
> >recipient and may contain confidential and/or privileged
> >material.  If you have received this in error, please contact the
> >sender and delete this message immediately.  Disclosure, copying
> >or other action taken in respect of this email or in
> >reliance on it is prohibited.  BMRB International Limited
> >accepts no liability in relation to any personal emails, or
> >content of any email which does not directly relate to our
> >business.
> 
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>

More information about the MailScanner mailing list