[Mimedefang] best practices for handling filename extensions
Mark Coetser
mark at tux-edo.co.za
Thu Oct 5 08:04:59 EDT 2017
On 05/10/2017 06:41, Michael Fox wrote:
> I'm looking to understand best practices with regard to rejecting filename
> extensions.
>
>
>
> The example provided in /usr/share/doc/mimedefang shows a very long list of
> extensions to be rejected. I know some hosted mail providers don't allow
> .exe. It annoys me but I just change the extension and it goes through.
> And I know that some providers don't allow .zip. So folks using those
> providers just change it to .piz and it goes through.
>
>
>
> I presume this is, indeed, a little safer, since the recipient has to take
> an extra step to change the extension. And, presumably, they would only do
> that if they knew what they were getting. But I wonder if that's just the
> appearance of additional security or if it's a true improvement.
>
>
>
> So, what do the folks here with much more experience than I do, and why?
>
>
>
> Thanks much,
>
> Michael
Pretty sure the filetype matching is done by checking the actual mime
type of the file not just what the file extension is, so just renaming
the file will still not allow the file through.
Thank you,
Mark Adrian Coetser
More information about the MIMEDefang
mailing list