anomy-list

Re: File exclusion question : Somecompany.com.doc

From: Derrick Webber (112319@xyz.molar.is)
Date: Wed 28 Jan 2004 - 00:16:50 GMT

  • Next message: Kevin Shanahan: "Re: File exclusion question : Somecompany.com.doc"

    Kevin Shanahan wrote:
    > On Wed, 2004-01-28 at 08:12, Peter Mueller wrote:
    >
    >>"Somecompany.com.doc" got DEFANGED. I want to allow it through. What would
    >>I have to change?
    >
    > ...
    >
    >>file_list_1 += |url|exe|ws[cfh]|ops|com|prx))\s*
    >
    > ...
    >
    >>file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
    >
    >
    > I suggest ending both file list regex with \s*$ to make sure you're
    > matching against the end of the file name.
    >

    If the recipients use MS Outlook or Outlook Express, it's dangerous to
    filter attachments based only on last file extension. See
    http://www.clearswift.com/support/threatlab/docs/extensionthreats.aspx

    Outlook Express in particular has a flaw where it can launch an
    attachment based on the *middle* of three extensions... e.g.
    ".txt.exe.jpg" can be run as an executable. See
    http://www.theregister.co.uk/content/56/29137.html

    It's not unreasonable to ask senders to avoid multiple extensions in
    attachment names (except maybe for common exceptions like .tar.gz and
    .tar.bz2).



    hosted by molar.is