On 8/31/2011 19:01, Eike Rathke wrote:
Hi Dennis,
On Wednesday, 2011-08-31 14:17:38 -0700, Dennis E. Hamilton wrote:
[... reordering quotes and adding a quote level for better readability,
stripping rest ...]
From: TJ Frazier
Funny you should mention that. That very problem occurred on Bugzilla,
with DOC attachments bearing Trojan viruses. --/tj/
Wow!
When was that?
Last year? But I think what TJ was referring was a case of .doc
attachments to make them look like a testcase but instead contained
a JavaScript snippet redirecting the browser to a different site that
tried to install malware. Quite clever.
Yes, H. Duerr provided a link to the issue:
https://issues.apache.org/ooo/show_bug.cgi?id=113088
The spammers' accounts have apparently been removed, but some of the
attachments may have survived. I found a couple of attachments
attributed to "Unknown". This might happen if the account was deleted
before all "contributions" were removed. --/tj/
I assume that bugzilla still accepts attachments (we were talking about lists).
A bug tracker _has_ to accept attachments, without it is useless in many
cases.
What do we do to protect it?
How about a virus scan on attachments? That probably wouldn't help
against the JavaScript case though. Virus scans could even be done for
mail attachments before the mailing list distributes them. Question is
if Apache infra supports both cases.
Eike
