[Mimedefang] Update to MIMEDefang Filter KAM
Joseph Brennan
brennan at columbia.edu
Mon Apr 19 12:46:05 EDT 2004
--On Monday, April 19, 2004 10:30 AM -0600 Lucas Albers
<admin at cs.montana.edu> wrote:
> This filter just removes inline html iframe exploit code?
> Had anyone complained about anything from this code?
> You've been using it in production for the past few month's without
> problems? If you use internal virus scanners, would it interfere with
> their signature matching of the email?
> Is this a feature that could be folded back into the default mimedefang?
>
>
> Joseph Brennan said:
>>
>>
>>> md_graphdefang_log('modify',"$badtag Iframe/Object/Script
>>> tag(s)
>>> deactivated by MIMEDefang using Columbia filter");
No complaints in about 10 months. We get 900,000 messages a day
of which about 9,000 get this modification done.
The tag starting <no-object and so on is not valid html, so the
whole thing is ignored.
Since we deactivate these, and remove executables including zip files,
we have so far resisted antivirus software.
<rant>
I see the latest Netsky makes use of a Microsoft invention called
Dynamic HTML that does script-like things without any of these
tags. Some use <STYLE...> tags to define the DHTML but there is
a way to avoid even that. So far I do not see how to detect this
one cleanly. Some of the triggers are normal English words followed
by colon, so what would we do, disallow colons between < and >? If
the virus mail didn't annoy non-MS users I'd be tempted to say I
don't care any more. It's freakin ridiculous.
</rant>
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
More information about the MIMEDefang
mailing list