[Mimedefang] filtering bad filename vs. file scanning

[James Ralston]

On 2003-09-26 at 11:11:34+0800 cc <cc at belfordhk.com> wrote:
> Since I started using MIMEDefang, any EXE files are removed from the
> email.  Currently, this is a good thing (with SWEN swarming around
> the 'Net), but is it a good thing in the long run?

My $0.02: absolutely.

In fact, we've been testing code to prohibit MS-DOS executables
entirely, regardless of extension or whether the executable contains
viral content.  This is how we do it:

  # 
  # Reject MS-DOS executables (regardless of extension) by identifying
  # their magic.
  # 

  if (defined $entity->bodyhandle) {
    my $path = $entity->bodyhandle->path;
    if ($path) {
      if (open FILE, "<$path") {
        my $file_data;
        my $read_chars;
        $read_chars = read FILE, $file_data, 1024;
        close FILE;
        if ($read_chars > 2) {
          if ((substr ($file_data, 0, 2)) eq 'MZ') {
            action_bounce ('MS-DOS executables are not accepted here', '550', '5.7.0');
            return;
          }
        }
      }
    }
  }

(Deciding to infer file contents from the filename extension is one of
the dumbest decisions Microsoft ever made.)

If people validly need to send or receive MS-DOS executables, they can
ZIP them first.

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA