>On 2000-08-17, 15:46:54 (-0500), mark david mcCreary wrote:
>> I am still testing your system. I have decided that I need to invoke your
>> sanitizer separately to defang HTML. That is, I will defang HTML only when
>> it's HTML email.
>OK - but you do realize that this will let e.g. HTML attachments with
>dangerous parts through? Also, from what I've heard some Microsoft
>products - possibly Outlook - ignore MIME types and make their own guesses
>about what sort of contents are in the mail. Thus sending someone a
>"text/plain" part, with a filename of "blah.html" will avoid the sanitizer
>but still cause potential harm to the end user.
That's a good point.
I am interested in using your system for mailing lists, and I plan on
invoking your santizer to scan attachments, long Mime headers, long file
names, etc. on all email before it's sent to the list.
For most of the lists, the default will be to reject attachments
altogether, although some discussion groups want and need attachments to go
thru. In that case, I will just scan for poisoned, known file names,
and/or executable file types.
Then I plan on checking if the content type is html, and if so, invoking
your system a second time, only to defang html, as I will want html to go
thru in most cases.
So instead of checking the content-type, I should probably scan the body,
and only invoke the defang html scan if <html> is found. Or trigger off of
either the header or body indicating html.
Thanks for the feedback and I am certainly open to suggestions on how to
-- This mailing list's home page is: http://mailtools.anomy.net/archives/anomy-list/ There you can find subscription instructions and possibly an archive. Molar.is is a free Icelandic mailing list service.