anomy-list

RE: Problems with winmail.dat

From: Stian B. Barmen (97713@xyz.molar.is)
Date: Wed 15 Oct 2003 - 13:33:43 GMT

  • Next message: Marvin Herbold: "Problems with .com files..."

    Thank you very much! :)

    I know that this might adjust my security down a few notches, but it
    will still stop most virus mails (as of now at least).

    I owe you one! :)

    Best regards and thanks
    Stian B. Barmen

    -----Original Message-----
    From: Bjarni R. Einarsson [mailto:97761@xyz.molar.is]
    Sent: 15. oktober 2003 15:25
    To: Stian B. Barmen
    Cc: 97794@xyz.molar.is

    On 2003-10-14, 13:45:37 (+0200), Stian B. Barmen wrote:
    > It is rather important to block Microsoft application/ms-tnef files,
    > which are usually named "winmail.dat". The TNEF encoding is currently
    > not understood by the sanitizer, which means it can easily be used to
    > smuggle malicious attachments past the sanitizer unless it is blocked.
    >
    > But the problem is when I need to let these trough .. what then?

    Then you just let them through and hope nothing bad will happen!

     :-)

    Security is about balancing risk against usability - if blocking
    those attachments makes your system too "unusable", then that may
    be more important than security. You decide.

    Alternately, there is the tnef2multipart.pl script in the
    contrib/ directory, which may come in handy. See older messages
    in the mailing list archives for instructions on how to use it.

    > file_list_1 = (?i)(winmail\.dat
    > file_list_1 +=
    |\.(exe|com|vb[se]|dll|ocx|cmd|bat|pif|lnk|hlp|ms[ip]|reg|sct|inf

    To allow winmail.dat attachments, change the above two lines to
    this (I deleted everything from the 'w' to the '|'):

    > file_list_1 =
    (?i)(\.(exe|com|vb[se]|dll|ocx|cmd|bat|pif|lnk|hlp|ms[ip]|reg|sct|inf

    -- 
    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
     97761@xyz.molar.is                -><-              http://bre.klaki.net/
    

    Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 97844@xyz.molar.is

    Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler



    hosted by molar.is