[Mimedefang] WARNING/ALERT .html attachments
mdlist-20140424 at billmail.scconsult.com
Sun Jun 5 00:07:42 EDT 2016
On 3 Jun 2016, at 1:05, Kees Theunissen wrote:
> .html and .htm are not listed as "bad extensions" in the
> "suggested-minimum-filter-for-windows-clients" script in the
> download. But obviously .html and .htm _ARE_ dangerous.
Well, yes. Some of us have been trying to convince the instigators of
HTML in email of this fact for over 20 years to no avail.
Unfortunately, many of the most popular tools for composing and
submitting email (a.k.a. MUA -> Mail User Agent) generate HTML parts by
default and some have no configuration that will make them always send
pure plain text email. Usually the HTML is in nameless alternatives
inside a multipart/alternative message, but sometimes even those get
pointless names and there are MUAs which do a wide variety of strange
and unexpected things when forwarding messages or replying with the
inclusion of an original message, so shunning HTML based on filename
extension is Not Safe. On the other hand, it has been many years since
the current or most common versions of popular MUAs which can interpret
HTML mail will execute embedded scripts. Of course that can't stop users
from being shown an HTML attachment as a PDF because of a crappy MUA,
saving it, and opening it with a double-click into a browser that will
initial vector for ransom-ware infections, so you can't just do nothing.
The MIMEDefang solution for this isn't to add htm and html to the list
of bad extensions, as that would reject substantial legitimate mail at
most sites. Most sites also certainly can't reject all mail with
text/html parts, as that would be most mail for most sites. For many
sites, stripping out HTML parts (which MD can do) also would be
unacceptable to users. HTML in email always has been a bad idea, but it
is a bad idea which has become entrenched as normalcy.
What most systems using MD can (and SHOULD) do is to add a block of code
analogous to the existing bad extension check in the example script that
checks for filenames with multiple "extensions" where the last one is
not a recognizable archival or compression format. For example: reject
*.pdf.html, *.htm.pdf, or *.docx.doc but not *.tar.gz, *.cpio.bz2, or
*.files.7z. You can also reject mail with (.htm or .html names OR
"Content-Type: text/html") and "Content-Disposition: attachment" but be
prepared for that to hit some innocent messages.
More information about the MIMEDefang