[Mimedefang] HTML Mail / Active content filter

Florian Lohoff f at zz.de
Tue Apr 11 10:23:53 EDT 2023


Hi Dianne,

On Tue, Apr 11, 2023 at 07:59:09AM -0400, Dianne Skoll via MIMEDefang wrote:
> On Mon, 10 Apr 2023 11:32:46 +0200
> Florian Lohoff via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
> 
> > i'd like to drop/replace HTML attachments/mails which contain active
> > components like javascript/javascript external refs.
> 
> I think you'll find yourself blocking or damaging quite a lot of valid
> email.

Javascript in emails is sub 0.1% - Its basically not in use. All mails
i found in gigabytes of samples have been ads and crude stuff. I couldnt
find legitimate mail with javascript.

And after 3 Weeks of Downtime the mood is currently to even block
all Microsoft Formats (docx, pptx, xlsx and the like) which
we do right now.

So my biggest concern is Mail with Javascript (Which was the origin) and
PDF with active content.

> If you do find HTML mail where the "body" is essentially a
> document.write call on a function of a whole bunch of base64-encoded
> content, then yeah... that's probably malicious and can be dropped.
> Not exactly sure how to detect that, but IMO document.write in an HTML
> mail is suspicious enough on its own to block.

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/8f8f1bca/attachment.sig>


More information about the MIMEDefang mailing list