[Mimedefang] WARNING/ALERT .html attachments

Bill Cole mdlist-20140424 at billmail.scconsult.com
Sun Jun 5 00:07:42 EDT 2016

On 3 Jun 2016, at 1:05, Kees Theunissen wrote:

> .html and .htm are not listed as "bad extensions" in the
> "suggested-minimum-filter-for-windows-clients" script in the 
> MIMEDefang
> download. But obviously .html and .htm _ARE_ dangerous.

Well, yes. Some of us have been trying to convince the instigators of 
HTML in email of this fact for over 20 years to no avail.

Unfortunately, many of the most popular tools for composing and 
submitting email (a.k.a. MUA -> Mail User Agent) generate HTML parts by 
default and some have no configuration that will make them always send 
pure plain text email. Usually the HTML is in nameless alternatives 
inside a multipart/alternative message, but sometimes even those get 
pointless names and there are MUAs which do a wide variety of strange 
and unexpected things when forwarding messages or replying with the 
inclusion of an original message, so shunning HTML based on filename 
extension is Not Safe. On the other hand, it has been many years since 
the current or most common versions of popular MUAs which can interpret 
HTML mail will execute embedded scripts. Of course that can't stop users 
from being shown an HTML attachment as a PDF because of a crappy MUA, 
saving it, and opening it with a double-click into a browser that will 
run those scripts. Obfuscated JavaScript in spam is the current favorite 
initial vector for ransom-ware infections, so you can't just do nothing.

The MIMEDefang solution for this isn't to add htm and html to the list 
of bad extensions, as that would reject substantial legitimate mail at 
most sites. Most sites also certainly can't reject all mail with 
text/html parts, as that would be most mail for most sites. For many 
sites, stripping out HTML parts (which MD can do) also would be 
unacceptable to users. HTML in email always has been a bad idea, but it 
is a bad idea which has become entrenched as normalcy.

What most systems using MD can (and SHOULD) do is to add a block of code 
analogous to the existing bad extension check in the example script that 
checks for filenames with multiple "extensions" where the last one is 
not a recognizable archival or compression format. For example: reject 
*.pdf.html, *.htm.pdf, or *.docx.doc but not *.tar.gz, *.cpio.bz2, or 
*.files.7z. You can also reject mail with (.htm or .html names OR 
"Content-Type: text/html") and "Content-Disposition: attachment" but be 
prepared for that to hit some innocent messages.

More information about the MIMEDefang mailing list