[Mimedefang] Re: Image spam and broken file formats
Kenneth Porter
shiva at sewingwitch.com
Tue Dec 5 22:19:43 EST 2006
--On Tuesday, December 05, 2006 8:47 PM -0500 "David F. Skoll"
<dfs at roaringpenguin.com> wrote:
> I'm not very familiar with GIF and JPEG, but I have worked extensively
> with TIFF. With a TIFF image, you can play many wacky tricks and
> stuff data in the image file in countless weird ways. I don't know if
> it's possible to "validate" a TIFF image.
IIRC, TIFF is a "catch-all" format that's highly-extensible, sorta like
XML. Yet XML is designed to validate. TIFF can have parts with arbitrary
content. I seem to recall the Amiga multimedia formats worked like that. At
one point someone was using the bento box as a model for data packaging.
> JPEG and GIF are much simpler, but I bet they're still complex
> enough to make validation iffy.
True at least for GIF. JPEG and I think PNG are also extensible, like TIFF.
But any extensible format requires a reader that understands the
extensions. It would be sufficient for me if the validator were itself
extensible with a yes/no/maybe answer similar to SPF.
In thinking about computing costs, it occurs to me that the validator could
be fed a time limit (measured in CPU time) at which point it rejects the
file as "too complex". There should also be a memory limit. Both of these
should catch those classes of file bombs.
More information about the MIMEDefang
mailing list