Best practice
Richard Thomas
richard.thomas at PSYSOLUTIONS.COM
Thu Oct 13 22:16:59 IST 2005
Rick Cooper wrote:
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Leif Neland
>>Sent: Thursday, October 13, 2005 8:41 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Best practice
>>
>>
>>From: "Rick Cooper" <rcooper at DWFORD.COM>
>>To: <MAILSCANNER at JISCMAIL.AC.UK>
>>Sent: Thursday, October 13, 2005 3:03 PM
>>Subject: Re: Best practice
>>
>>
>>># Allow XLS/DOC/PDF files that do not have an executable second
>>>
>>>
>>extension
>>
>>
>>>deny (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.doc$
>>>Attempt to Hide Bad Things With DOC Extension Attempt to Hide
>>>
>>>
>>Bad Things
>>
>>
>>>With DOC Extension - NO CIGAR!
>>>deny (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.xls$
>>>Attempt to Hide Bad Things With XLS Extension Attempt to Hide
>>>
>>>
>>Bad Things
>>
>>
>>>With XLS Extension - NO CIGAR!
>>>deny (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf])\.pdf$
>>>Attempt to Hide Bad Things With PDF Extension Attempt to Hide
>>>
>>>
>>Bad Things
>>
>>
>>>With PDF Extension - NO CIGAR!
>>>
>>>
>>>
>>Haven't you got this the other way around?
>>
>>There is nothing harmful with a filename.bat.doc
>>On the other hand, filename.doc.bat might be dangerous.
>>
>>
>>
>
>That has to do with an old vulnerability wherein you could place an
>incorrect ending suffix such as txt to an executable and it would fire off
>rather than use notepad because it was aware of the actual file type. I
>don't think it really exists anymore. The normal double filter would catch
>something ending some.exe later down the expressions.
>
>
In that case, isn't the script still incorrect since it is looking for
exe, scr, bat etc in the filename when presumably that wouldn't be
required and you could have a document.txt with an executable mimetype?
Rich
>The only reason I even keep the above rule around is you never know what
>some 3d part application might do.
>
>Rick
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
--
MIS Department | Psychiatric Solutions Inc |Phone: +1 615 312 5787
840 Crescent Ctr Dr | |Fax: +1 615 312 5711
Suite 460 +---------------------------+----------------------
Franklin, TN 37067 |Support: helpdesk at psysolutions.com +1 615 312 5888
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
[ Part 2, "S/MIME Cryptographic Signature" ]
[ Application/X-PKCS7-SIGNATURE 4.4KB. ]
[ Unable to print this part. ]
More information about the MailScanner
mailing list