[Mimedefang] Unsafe file types

David F. Skoll dfs at roaringpenguin.com
Sun Nov 30 10:34:09 EST 2003


On Sun, 30 Nov 2003, Jon R. Kibler wrote:

> I have several questions/comments about unsafe file types.

> 1) Several weeks ago, there was some discussion in a security group
> I follow about unsafe file types. The list compiled by that group
> included several Windows extensions that are not in the current MD
> list. These are:

As far as I'm concerned, it's a sucker's game to try to keep up with all
the possible Windoze threats.

In my opinion, any file is unsafe on Windoze, because Windoze is unsafe
by nature.  We just try to catch the most common ones used by actual
viruses in the wild.

At Roaring Penguin, we solve the problem by not running Windoze.
I realize that many people feel this is not an option.

> 4) Finally, rather than looking at the file extension, wouldn't it
> be smarter to look at the content-type header to judge whether a file
> is potentially dangerous?

No, because Windoze programs tend to look at the extension and ignore
the Content-Type.

> 4b) Using the current MD schema of looking only at file extensions,
> it would appear to be easy to slip executable content past the filter
> by simply changing the file name from something like 'prog.exe' to
> 'prog.exe.txt'. Am I missing something here?

Renaming prog.exe to prog.exe.txt makes it "safe" in that clicking on
it won't cause Windoze to execute it.

> 4c) So, I guess the bottom line to this question is why examine file
> extensions when content-type may be a better indicator of what the
> file contains?

Because of a design flaw in Windoze that stores file metadata (the
content type) in the filename extension.  This design flaw is the
primary factor responsible for the spread of Windoze viruses, and has
probably cost the world economy billions of dollars.

To be super-safe, you should look at the file name, and also the
file contents -- if the first few bytes of the file match a Windoze
executable signature, you should probably prevent delivery.

Regards,

David.



More information about the MIMEDefang mailing list