anomy-list

Re: .com images defanged and dropped...

From: Marvin Herbold (97070@xyz.molar.is)
Date: Fri 10 Oct 2003 - 16:05:55 GMT

  • Next message: Vishnath: "Re: Insecure dependency"

    Marvin Herbold wrote:

    > Dilemma...
    >
    > I just added a rule to defang/drop .com attachments and the result is
    > that all the inline html images get dropped. For example my email
    > image signature is (as generated by Mozilla):
    >
    > <img border="0" src="cid:97165@xyz.molar.is">
    >
    > And the attachment has the file name of
    > "97165@xyz.molar.is" which is why it got dropped... but
    > it wasn't actually an executable, but rather a gif image... This
    > seems to be a common way inline email images get sent around (at least
    > from my Mozilla email client, and apparently Outlook and AOL too)...
    > so my question to you all is how do I safely drop hostile .com
    > attachments (read: real executables) and keep the benign images that
    > just happen to have their name end in .com???
    >
    I had said that "the attachment has the file name of
    97165@xyz.molar.is"... that is actually wrong.

    I sent myself an unsanitized email, and this is the REAL mime header:

    Content-Type: image/gif;
    name="C:\\Documents and Settings\\Herbold\\My
    Documents\\idrt_signature_marvin.gif"
    Content-Transfer-Encoding: base64
    Content-ID: <97217@xyz.molar.is>
    Content-Disposition: inline;
    filename="C:\\Documents and Settings\\Herbold\\My
    Documents\\idrt_signature_marvin.gif"

    As you can see, the file name clearly ends in .gif which should have
    been allowed. But apparently because the ID (not the file name) ended in
    .com the image was dropped. Obviously I don't want this to happen. How
    to fix?

    -- 
    Marvin Herbold
    97070@xyz.molar.is
    http://www.herbold-family.com
    



    hosted by molar.is