anomy-list

Re: html links to executables

From: Claudemir Todo Bom (123965@xyz.molar.is)
Date: Sun 25 Apr 2004 - 17:22:19 GMT


Em Dom, 2004-04-25 às 12:51, Bjarni R. Einarsson escreveu:

    I haven't looked at the code recently, but if I recall it would only require
    a very minor change to the tables in HTMLCleaner.pm to implement this, and
    it may infact already be implemented in the cleaner's "paranoid" mode. The
    obvious strategy is to simply tell the cleaner to defang URLS ending in
    ".exe".

i'm running sanitizer 1.66 (debian testing package), and I tried with
both feat_paranoid and feat_webbugs active... the sanitizer defangs the
safe <IMG SRC> tags, but let pass a <A HREF="http://somesite/scam.exe">.
    
    Unfortunately, there's no way to tell from the URL alone whether fetching it
    will actually cause the browser to download an executable or whether it will
    simply invoke a CGI which will send html, text or an image.
    
    Also, this sort of sanitization WILL cause problems with legitimate web
    sites. Some sites, including some pretty big and respectable companies, use
    the .exe ending on their server-side CGI scripts. Also, there's no reason
    the scam mails have to use .exe in their URLs - the could simply point to a
    generic URL - even one ending in .html or .gif - which would then redirect
    the browser to a .exe download.

yes, i'm aware of this... those respectable sites that have links ending
in .exe, if they send mail with links, they're not so respectable.

Knowing that a scam URL doesn't really need to have the .exe on this
end, this solution is really a half-solution, because we can't test the
content-type of the link, but the majority of scams i've seen, uses .exe
in href...
    
    For this reason defanging like this isn't enabled by default, it's not
    likely to work well and will break legitimate URLs. However, if the scam
    mails are using simple, easy to block URLS, then it may be worth the effort
    to try anyway... I haven't much experience with these messages, so I'd be
    interested in hearing peoples' opinions on this.
    
here in brazil, this thing is getting very common, after people learned
that forged emails from bank enterprises was really forged, the scammers
are trying to get people using fake web postcards, fake links to forms
to participate in popular reality shows, and it's growing day by day...

on the ISPs that are my customers, we are wanting to offer this as an
opt-in resource for the end users.

I'm not a good perl coder, so, if somebody snips some code here, I can
paste it on the sanitizer code... can anybody help me?

Best regards,

-- 
Claudemir Todo Bom
123965@xyz.molar.is
http://www.wiredway.com.br/~allgood

Attachments: + http://mailtools.anomy.net/archives/anomy-list//20/d3/408bf4c7/01.signature.asc



hosted by molar.is