Best practice

Julian Field MailScanner at
Fri Oct 14 09:31:09 IST 2005


On 13 Oct 2005, at 22:10, Richard Thomas wrote:

> Rabellino Sergio wrote:
>> Ho do you feel about  mycode.c.old or mydocs.tar.gz, or mydata. 
>> 20051009.txt ???
>> It's hard tell anyone that he can't send a project in development  
>> to someone else because there are double dotted filenames, without  
>> concerning
>> the real content.
>> This was the start point for our discussion, then my doubt on that  
>> rule. Could  be a 'better performance' rule, but there are real  
>> attacks catched ONLY by that rule ?
>> For now i've not found any attacks singularly catched by the  
>> double-dot rule, but...
> I've been wondering about this myself. I mean sure, block  
> report.doc.exe and hotpic.jpg.pif but is anything really gained by  
> blocking the examples listed by the previous poster? And I mean  
> don't just do some handwaving about "extra security", I'd like to  
> see a real explanation of the gain and preferably a couple of  
> examples.

Please remember that no-one is forcing any of this on you. Don't like  
them? Don't use them. The default rules are the ones I felt were  
worth having, some based on my own experience and some based on  
Microsoft's own lists of such things.

I wrote the double-extension trap rule as an example of what you  
could do with my rules system, rather than the simple extension- 
blockers provided with any of the commercial alternatives. It has  
turned out be rather useful, and I wouldn't want to be without it.

But if you don't see the reason for having some/all of the rules,  
just delete them. This whole conversation has become a bit pointless  
and circular, in my opinion.
- -- 
Julian Field
Buy the MailScanner book at
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Version: PGP Desktop 9.0.2 (Build 2425)


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list