Best practice
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Oct 14 09:31:09 IST 2005
-----BEGIN PGP SIGNED MESSAGE-----
On 13 Oct 2005, at 22:10, Richard Thomas wrote:
> Rabellino Sergio wrote:
>
>
>> Ho do you feel about mycode.c.old or mydocs.tar.gz, or mydata.
>> 20051009.txt ???
>>
>> It's hard tell anyone that he can't send a project in development
>> to someone else because there are double dotted filenames, without
>> concerning
>> the real content.
>>
>> This was the start point for our discussion, then my doubt on that
>> rule. Could be a 'better performance' rule, but there are real
>> attacks catched ONLY by that rule ?
>>
>> For now i've not found any attacks singularly catched by the
>> double-dot rule, but...
>>
>>
> I've been wondering about this myself. I mean sure, block
> report.doc.exe and hotpic.jpg.pif but is anything really gained by
> blocking the examples listed by the previous poster? And I mean
> don't just do some handwaving about "extra security", I'd like to
> see a real explanation of the gain and preferably a couple of
> examples.
Please remember that no-one is forcing any of this on you. Don't like
them? Don't use them. The default rules are the ones I felt were
worth having, some based on my own experience and some based on
Microsoft's own lists of such things.
I wrote the double-extension trap rule as an example of what you
could do with my rules system, rather than the simple extension-
blockers provided with any of the commercial alternatives. It has
turned out be rather useful, and I wouldn't want to be without it.
But if you don't see the reason for having some/all of the rules,
just delete them. This whole conversation has become a bit pointless
and circular, in my opinion.
- --
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)
iQEVAwUBQ09s0fw32o+k+q+hAQEHcQgAoCImoo4yfPb2Gd3cz/yvI6c/4w8wEqQn
rcswIgo1d4qG2NLoTxy3riwlpKjAhYawUDghHBzXIaf2dWmEWpTmCfJ3Iod32tiB
ki4scnYecL7e2FjUQCD/5Sl0MtckS5RgyNcvUj/sQ2TMvxuTmbcCWzEc3zph2njR
g9VAYRrNGQV1uDH01VKrfGsv8VN/ACdCkpSXMo9f+wQxjW0ietY4fu7eeR6O3weJ
Ls7ktA7xE+2atXr9j7qne+tEkmfLvgAE6ZJmyYcZp+l9XribhGpaGcui2hV4JuBt
7ifFcY5udsoz+RNRrkpZvC2Ig997KNziPsO5nEU4S+Rqn5r5FIThjg==
=VSrE
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list