[Mimedefang] Bad Extensions in suggested example filter
Kevin A. McGrail
KMcGrail at PCCC.com
Tue Nov 5 15:34:59 EST 2013
On 11/5/2013 1:56 PM, David F. SkollAnd wrote:
> On Tue, 05 Nov 2013 13:30:17 -0500
> "Kevin A. McGrail" <KMcGrail at PCCC.com> wrote:
>
>> 3 - Has anyone written description of all the extensions and a short
>> what/why description? If not, I'll take a pass at it. (example
>> below).
> The bad filename extension list in the default MIMEDefang filter is
> old, crufty, unmaintained, and most likely way too aggressive.
It's not really THAT bad but I agree it needs at a minimum some
documentation. The #1 and #2 issues I usually see is exe's and wmz's.
The exe's are about 50% of the time malware payloads so that policy
makes sense. The WMZ there is legitimate ways to exploit that format
though I've rarely seen it in the wild. I could argue it both wsays.
> I obtained it from some MSFT knowledgebase article, the origin of which
> is lost in the mists of time.
>
> If someone would like to patch the sample filter to have a saner list,
> I'll gladly take the patch.
I think the list is not bad, like I said. In practice, I like it.
I'll work on documenting the extensions that are blocked and if any need
to come off.
Right now, for example, vcs is blocked and I can't find a reason it
should be blocked.
And .MIM should be blocked - Apparently we had real exploits from years
ago (2004?). Looks tied to winzip and this announcement
http://www.winzip.com/fmwz90.htm
Anyway, I expect the patch to be 99% documentation and 1% changing
extensions.
Regards,
KAM
More information about the MIMEDefang
mailing list