[Mimedefang] Unsafe file types
Joseph Brennan
brennan at columbia.edu
Sun Nov 30 21:16:09 EST 2003
--On Sunday, November 30, 2003 10:34 -0500 "David F. Skoll"
<dfs at roaringpenguin.com> wrote:
>> 4b) Using the current MD schema of looking only at file extensions,
>> it would appear to be easy to slip executable content past the filter
>> by simply changing the file name from something like 'prog.exe' to
>> 'prog.exe.txt'. Am I missing something here?
>
> Renaming prog.exe to prog.exe.txt makes it "safe" in that clicking on
> it won't cause Windoze to execute it.
We actually use this loophole deliberately. If people insist they want
someone to send them a Windows exe file, we tell them the sender can
name it to end with txt and say in the message what the correct name
should be. We allow zip files too. We are not blocking executables
as such, but blocking things that will execute on one click. One must
draw the line somewhere, and that's where we chose to draw it.
Note too that this is only a suggested filter in Mimedefang. You can
definitely write in different tests to support stronger or weaker filters
on file attachments. Flexibility is good.
Joseph Brennan
Academic Technologies Group, Academic Information Systems
Columbia University in the City of New York
More information about the MIMEDefang
mailing list