Best practice

Fri Oct 14 09:24:21 IST 2005

-----BEGIN PGP SIGNED MESSAGE-----

On 13 Oct 2005, at 18:18, Rick Cooper wrote:

>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>> Behalf Of Leif Neland
>> Sent: Thursday, October 13, 2005 8:41 AM
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: Best practice
>>
>>
>> From: "Rick Cooper" <rcooper at DWFORD.COM>
>> To: <MAILSCANNER at JISCMAIL.AC.UK>
>> Sent: Thursday, October 13, 2005 3:03 PM
>> Subject: Re: Best practice
>>
>>>
>>> # Allow XLS/DOC/PDF files that do not have an executable second
>>>
>> extension
>>
>>> deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf]) 
>>> \.doc$
>>> Attempt to Hide Bad Things With DOC Extension  Attempt to Hide
>>>
>> Bad Things
>>
>>> With DOC Extension - NO CIGAR!
>>> deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf]) 
>>> \.xls$
>>> Attempt to Hide Bad Things With XLS Extension  Attempt to Hide
>>>
>> Bad Things
>>
>>> With XLS Extension - NO CIGAR!
>>> deny  (?:\.exe|\.scr|\.bat|\.com|\.vb[es]|\.cmd|\.pif|\.ws[chf]) 
>>> \.pdf$
>>> Attempt to Hide Bad Things With PDF Extension  Attempt to Hide
>>>
>> Bad Things
>>
>>> With PDF Extension - NO CIGAR!
>>>
>>>
>> Haven't you got this the other way around?
>>
>> There is nothing harmful with a filename.bat.doc
>> On the other hand, filename.doc.bat might be dangerous.
>>
>>
>
> That has to do with an old vulnerability wherein you could place an
> incorrect ending suffix such as txt to an executable and it would  
> fire off
> rather than use notepad because it was aware of the actual file  
> type. I
> don't think it really exists anymore. The normal double filter  
> would catch
> something ending some.exe later down the expressions.

There certainly was a vulnerability whereby if you had 3 extensions,  
and the 3rd one started at the 256th character in the filename then  
it would use the 2nd one. Something like that, but that is why I put  
in the "long filename" and "lots of spaces" rules.
I never saw any patch which definitely said they had fixed it, so the  
rules have stayed.

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)

iQEVAwUBQ09rOPw32o+k+q+hAQGcxAgAniqdn+Iq0VuNb7rPR2S7xBLILpj5/zDt
BCG4AS76bOovI7+UE/CFAl8BtEnMDDRUqWO8Kl3Ek7v4nAQNRhUQicDnM+415UFx
ge5Ip5+djpwAOUMdsHQ9RlBx+ezny+HMdd5HY9F8yu+BCoFAjrzCU3WYJ0BDWb1L
dmGG8m6z0xJEvo1jiDuGnAYsv6gHHSn87MnSwYbHOs1OnQ1NzQVmSrsDR2qY8YvY
qnBEufpklfMAZjTAlKRl9ceinZxsI3/rI9GtQk/qRTvHkGEprynB2cidwRxJRAQv
lXcEjc9Y8teql+iW6+VpQpi05VO2ztVGxmHBD+oBaKLcz2GHmKaqVQ==
=IvjT
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!