Marvin Herbold wrote:
> I just added a rule to defang/drop .com attachments and the result is
> that all the inline html images get dropped. For example my email
> image signature is (as generated by Mozilla):
> <img border="0" src="cid:firstname.lastname@example.org">
> And the attachment has the file name of
> "email@example.com" which is why it got dropped... but
> it wasn't actually an executable, but rather a gif image... This
> seems to be a common way inline email images get sent around (at least
> from my Mozilla email client, and apparently Outlook and AOL too)...
> so my question to you all is how do I safely drop hostile .com
> attachments (read: real executables) and keep the benign images that
> just happen to have their name end in .com???
I had said that "the attachment has the file name of
firstname.lastname@example.org"... that is actually wrong.
I sent myself an unsanitized email, and this is the REAL mime header:
name="C:\\Documents and Settings\\Herbold\\My
filename="C:\\Documents and Settings\\Herbold\\My
As you can see, the file name clearly ends in .gif which should have
been allowed. But apparently because the ID (not the file name) ended in
.com the image was dropped. Obviously I don't want this to happen. How
-- Marvin Herbold email@example.com http://www.herbold-family.com