[Mimedefang] Bad Extensions in suggested example filter

Kevin A. McGrail KMcGrail at PCCC.com
Tue Nov 5 15:34:59 EST 2013

On 11/5/2013 1:56 PM, David F. SkollAnd  wrote:
> On Tue, 05 Nov 2013 13:30:17 -0500
> "Kevin A. McGrail" <KMcGrail at PCCC.com> wrote:
>> 3 - Has anyone written description of all the extensions and a short
>> what/why description?  If not, I'll take a pass at it.  (example
>> below).
> The bad filename extension list in the default MIMEDefang filter is
> old, crufty, unmaintained, and most likely way too aggressive.
It's not really THAT bad but I agree it needs at a minimum some 
documentation.   The #1 and #2 issues I usually see is exe's and wmz's.  
The exe's are about 50% of the time malware payloads so that policy 
makes sense.  The WMZ there is legitimate ways to exploit that format 
though I've rarely seen it in the wild.  I could argue it both wsays.
> I obtained it from some MSFT knowledgebase article, the origin of which
> is lost in the mists of time.
> If someone would like to patch the sample filter to have a saner list,
> I'll gladly take the patch.
I think the list is not bad, like I said.  In practice, I like it.

I'll work on documenting the extensions that are blocked and if any need 
to come off.

Right now, for example, vcs is blocked and I can't find a reason it 
should be blocked.

And .MIM should be blocked - Apparently we had real exploits from years 
ago (2004?).  Looks tied to winzip and this announcement 

Anyway, I expect the patch to be 99% documentation and 1% changing 


More information about the MIMEDefang mailing list