[Mimedefang] survey: dropping password protected file
Brett Simpson
simpsonb at hillsboroughcounty.org
Thu Mar 4 10:18:08 EST 2004
On Thursday 04 March 2004 08:57 am, Joseph Brennan wrote:
> --On Wednesday, March 3, 2004 2:53 PM -0600 James Miller
>
> <jimm at simutronics.com> wrote:
> >> We just went through the same thing and have told people we will be
> >> dropping zip files until we work out a sane way of 'scanning' ones that
> >> are bad. Of course the .zip item is already being deprecated by the .txt
> >> virii that tell the user in the email to rename the .txt to .zip and
> >> open it up and then run the application for security reasons.
>
> Our testing showed that clients mangle binaries sent with the .txt
> extension. We believe that the clients do a newline-return translation
> similar to what you get doing ftp as text. Anyway the binary does not
> execute even after being renamed. I can't figure out how this exploit
> would work.
Would it be possible, or desireable, to have MimeDefang check attachments to
unsure they match up with the file extension?
For example if someone renames a .zip to .txt then MimeDefang could identify
that it was renamed, by checking "the magic", and taking action.
More information about the MIMEDefang
mailing list