Allow multiple filename extensions?

Mike Dunderdale mdunder at GE.UCL.AC.UK
Fri Jul 11 15:33:04 IST 2003 

The reason that the double extensions are disallowed is because it's a
known method of trying to fool users, in particular Outlook Express, into
running programs. Certain windows programs only show the first of the two
extensions, thus  fooling the user into thinking that they're opening one
sort of file (eg a document .doc) instead of opening a nasty script (.vbs)

That's the sort of attack which may not be a virus per se, but will still
do nasty things to your users computer.

Hence the double extension rule.

I'd just encourage your users to put it all into a correctly named zip
file - bypassing this kind of check and reducing bandwidth into the
bargain.

M.

On Fri, 11 Jul 2003, Antony Stone wrote:

> On Friday 11 July 2003 2:58 pm, Tom Combs wrote:
>
> > Hello,
> >
> >   I'm not clear on the need for denying multiple filename extensions.
> >   It seems if an attachment contained a virus, it would be checked by
> >   the virus scanner and either caught or cleared regardless of the
> >   extension.  Does having multiply filename extensions somehow
> >   circumvent this process?
> >
> >   I'm considering dropping this ruleset:
> >
> > deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
> > hiding Attempt to hide real filename extension
> >
> >   Is this a mistake?
>
> I have removed this rule from my systems - I am happy simply to block the
> explicit final extensions which I know can be dangerous.
>
> I look at it this way:
>
> 1. If the final extension is on my 'blocked' list, the email gets blocked and
> I don't care if there was a double extension.
>
> 2. If the final extension is not on my 'blocked' list, then allow the email,
> because it's not going to do anything dangerous on a Windoze machine which
> acts on that final extension anyway.
>
> If anyone knows of a reason why this could be a dangerous policy, please tell
> me :)
>
> Regards,
>
> Antony.
>
> --
>
> G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o?
> w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5?
> !X- !R K--?
>

-------------------------------------------------------------------------
           Mike Dunderdale                |  tel: ++44 20 7679 2756
IT Systems Manager, Geomatic Engineering  |  fax: ++44 20 7380 0453
     mike.dunderdale at ge.ucl.ac.uk         |  mob: ++44 7939 455 245

More information about the MailScanner mailing list