Best practice

Rick Cooper rcooper at DWFORD.COM
Thu Oct 13 18:18:10 IST 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Leif Neland
> Sent: Thursday, October 13, 2005 8:41 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Best practice
>
>
> From: "Rick Cooper" <rcooper at DWFORD.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Thursday, October 13, 2005 3:03 PM
> Subject: Re: Best practice
> >
> > # Allow XLS/DOC/PDF files that do not have an executable second
> extension
> > deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.doc$
> > Attempt to Hide Bad Things With DOC Extension  Attempt to Hide
> Bad Things
> > With DOC Extension - NO CIGAR!
> > deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.xls$
> > Attempt to Hide Bad Things With XLS Extension  Attempt to Hide
> Bad Things
> > With XLS Extension - NO CIGAR!
> > deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.pdf$
> > Attempt to Hide Bad Things With PDF Extension  Attempt to Hide
> Bad Things
> > With PDF Extension - NO CIGAR!
> >
> Haven't you got this the other way around?
>
> There is nothing harmful with a filename.bat.doc
> On the other hand, filename.doc.bat might be dangerous.
>

That has to do with an old vulnerability wherein you could place an
incorrect ending suffix such as txt to an executable and it would fire off
rather than use notepad because it was aware of the actual file type. I
don't think it really exists anymore. The normal double filter would catch
something ending some.exe later down the expressions.

The only reason I even keep the above rule around is you never know what
some 3d part application might do.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list