RE: [Mimedefang] bad_filename: mim
On Thu, 19 Jan 2006, [EMAIL PROTECTED] wrote: Paul Murphy wrote: Definitely one for the banned list now... For the paranoid, I have a fairly thorough list of compressed file extensions here: http://www.mimedefang.com/kwiki/index.cgi?BadFilenameExtensions For the record: zip rar sit cpt hqx ace bz bz2 iso lha r00 r01 r02 r03 r04 r05 r06 r07 r08 r09 r10 r11 r12 r13 r14 r15 r16 r17 r18 r19 r20 r21 r22 r23 r24 r25 r26 r27 r28 r29 tbz tbz2 arc arj b64 cab gz hqx lzh mim tar taz tgz tz uu uue xxe z Hi, I see the phrase " For the paranoid", but please: do not add any "real" archives to the default list of extensions in the sample filter, how about another configurable line that lists that ones? BTW: I'm missing "ace" and it's split-files "c[0-9]{2}", also: rar's split-files are named "r[0-9]{2}" -- there may be more than just 32 archives, I've seen some program registering all 100 extensions ;-) What are zip's split-files named like? Was it z[0-9]{2} or b[0-9]{2}?? Also: bin, gl, md[as] are also used for Images like iso. Frankly, I think that one should handle only those file types on the server that Windows may _really_ execute via the WinShell (or WinExec or whatever the shell.dll hook is named), e.g. a file in a zip is not executed on-the-fly, but by storing it (or the complete contents of the archive) onto the hard disk of the system, that's subject of the on-access scanner on each particular system and not for the mail server. You need an on-access on each enduser system anyway. -- But this discussion had happened before :) Bye, -- Steffen Kaiser ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bad_filename: mim
Jason Gurtz wrote: I looked and this windows box doesn't have mim as a registered file type. Seems like it isn't too big of a deal unless clients are using aol. I guess if our policy dictated blocking .zip and other archives then I would block this too. My WinXP Pro machine at work has the file type registered to WinZip. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bad_filename: mim
[EMAIL PROTECTED] wrote: [about dangerous filename extensions] Even better: I have a regular expression that matches filenames that could be a security problem on Windows: .* (Sorry, but I've come to the conclusion that it's simply irresponsible to use Windows on a machine with network connectivity.) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bad_filename: mim
On 1/19/2006 13:12, Damrose, Mark wrote: > MIM > A multipart file in the Multi-Purpose Internet Mail Extensions (MIME) > format; often created as the result of sending e-mail with attachments in > AOL. The files in a multipart MIM file can be "opened" (unarchived and > separated into individual files) using Winzip or a similar program. I looked and this windows box doesn't have mim as a registered file type. Seems like it isn't too big of a deal unless clients are using aol. I guess if our policy dictated blocking .zip and other archives then I would block this too. It's nice to know that it's not *yet another* type of windows executable/script. ~Jason -- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] bad_filename: mim
Paul Murphy wrote: > Definitely one for the banned list now... For the paranoid, I have a fairly thorough list of compressed file extensions here: http://www.mimedefang.com/kwiki/index.cgi?BadFilenameExtensions For the record: zip rar sit cpt hqx ace bz bz2 iso lha r00 r01 r02 r03 r04 r05 r06 r07 r08 r09 r10 r11 r12 r13 r14 r15 r16 r17 r18 r19 r20 r21 r22 r23 r24 r25 r26 r27 r28 r29 tbz tbz2 arc arj b64 cab gz hqx lzh mim tar taz tgz tz uu uue xxe z -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] bad_filename: mim
Mark Damrose wrote: > The files in a multipart MIM file can be "opened" > (unarchived and separated into individual files) using Winzip or a > similar program. Indeed, WinZip takes over that file extension when installed. I don't know offhand whether XP's built-in zip decompressor handles .mim files, but if it does, this was a very clever extension to use. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] bad_filename: mim
> > It looks like a new virus spreads using (among others) .mim files... > I've never heard of that extension. Is it a windows > executable or outlook script of some kind? It’s a MIME-encoded file which is of type message/rfc822, so presumably you can embed anything you want into it, and watch it sail past most scanning programs as text content, only for some dumbass mail client (Outlook?) to present it as a standard attachment which opens up into a mail message with an executable attachment. Definitely one for the banned list now... Best Wishes, Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.20/234 - Release Date: 18/01/2006 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] bad_filename: mim
> -Original Message- > From: Jason Gurtz > > I've never heard of that extension. Is it a windows > executable or outlook script of some kind? I hadn't either. Google found this: http://www.seniormag.com/compcorner/definitions/ext/biglistm.htm Which says: MIM A multipart file in the Multi-Purpose Internet Mail Extensions (MIME) format; often created as the result of sending e-mail with attachments in AOL. The files in a multipart MIM file can be "opened" (unarchived and separated into individual files) using Winzip or a similar program. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bad_filename: mim
On 1/18/2006 12:44, [EMAIL PROTECTED] wrote: > It looks like a new virus spreads using (among others) .mim files... I've never heard of that extension. Is it a windows executable or outlook script of some kind? ~Jason -- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] bad_filename: mim
It's W32/Blackmal.e from symantec and W32/[EMAIL PROTECTED] from NAI. I believe that NAI just released an update for it in just the past 2 minutes. dat-4677.zip was punblished at 8AM their time and then removed and republished at 10AM. Regards, KAM - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, January 18, 2006 12:44 PM Subject: [Mimedefang] bad_filename: mim > It looks like a new virus spreads using (among others) .mim files... this could be a good candidate for bad_filename. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] bad_filename: mim
It looks like a new virus spreads using (among others) .mim files... this could be a good candidate for bad_filename. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang