subject:"\[Mimedefang\] best practices for handling filename extensions"

Re: [Mimedefang] best practices for handling filename extensions

2017-10-06 Thread Michael Fox

> -Original Message-
> I am mainly not blocking by filename extensions, but by content. I am
> blocking:

Thanks Frank.  Very helpful ideas.

Michael


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] best practices for handling filename extensions

2017-10-05 Thread Frank Doepper

Am 04.10.17 um 21:41 schrieb Michael Fox:

> The example provided in /usr/share/doc/mimedefang shows a very long list
> of extensions to be rejected.

I am mainly not blocking by filename extensions, but by content. I am
blocking:

- Files with contents beginning with "MZ" (DOS EXE);
- the same inside ZIP files;
- the same inside ZIP files inside ZIP files :-)
- short or broken ZIP files;
- encrypted ZIP files with $name=~/\.(?:com|exe|bat|pif|scr|vbs|hta|cpl|js)$/i 
as member;
- zip files with *.js as member;
- several well-known spam or virus file names like Rechnung.rar etc.

Also I have built in a sqlite DB where several other conditions (HELO
string, unknown recipient rate per IP,...) are tracked for delaying or
refusing certain connections.

Thanks for that great and highly customizable software, which reduces the
spam and malware amount for years now!

best regards,
Frank
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] best practices for handling filename extensions

2017-10-05 Thread Bill Cole


On 5 Oct 2017, at 8:04, Mark Coetser wrote:

Pretty sure the filetype matching is done by checking the actual mime 
type of the file not just what the file extension is, so just renaming 
the file will still not allow the file through.


The file "examples/suggested-minimum-filter-for-windows-clients" in the 
source distribution which is the ancestor of many users' 
/etc/mail/mimedefang-filter matches by filename extension only. This 
actually makes sense for Windows clients, where (at least historically) 
the filename extension is the only indicator known to the OS of what the 
filetype is.

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] best practices for handling filename extensions

2017-10-05 Thread Dianne Skoll

On Thu, 5 Oct 2017 14:04:59 +0200
Mark Coetser  wrote:

> Pretty sure the filetype matching is done by checking the actual mime 
> type of the file not just what the file extension is, so just
> renaming the file will still not allow the file through.

The sample filter doesn't do that; it only looks at the actual filename.
Some people have written code that probes the file to figure out the MIME
type, but that code's not part of the MIMEDefang distribution.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] best practices for handling filename extensions

2017-10-05 Thread Mark Coetser



On 05/10/2017 06:41, Michael Fox wrote:

I'm looking to understand best practices with regard to rejecting filename
extensions.

  


The example provided in /usr/share/doc/mimedefang shows a very long list of
extensions to be rejected.  I know some hosted mail providers don't allow
.exe.  It annoys me but I just change the extension and it goes through.
And I know that some providers don't allow .zip.  So folks using those
providers just change it to .piz and it goes through.

  


I presume this is, indeed, a little safer, since the recipient has to take
an extra step to change the extension.  And, presumably, they would only do
that if they knew what they were getting.  But I wonder if that's just the
appearance of additional security or if it's a true improvement.

  


So, what do the folks here with much more experience than I do, and why?

  


Thanks much,

Michael


Pretty sure the filetype matching is done by checking the actual mime 
type of the file not just what the file extension is, so just renaming 
the file will still not allow the file through.



Thank you,

Mark Adrian Coetser
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] best practices for handling filename extensions

2017-10-05 Thread Michael Fox

I'm looking to understand best practices with regard to rejecting filename
extensions.

 

The example provided in /usr/share/doc/mimedefang shows a very long list of
extensions to be rejected.  I know some hosted mail providers don't allow
.exe.  It annoys me but I just change the extension and it goes through.
And I know that some providers don't allow .zip.  So folks using those
providers just change it to .piz and it goes through.

 

I presume this is, indeed, a little safer, since the recipient has to take
an extra step to change the extension.  And, presumably, they would only do
that if they knew what they were getting.  But I wonder if that's just the
appearance of additional security or if it's a true improvement.

 

So, what do the folks here with much more experience than I do, and why?

 

Thanks much,

Michael

 


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] best practices for handling filename extensions

Re: [Mimedefang] best practices for handling filename extensions

Re: [Mimedefang] best practices for handling filename extensions

Re: [Mimedefang] best practices for handling filename extensions

Re: [Mimedefang] best practices for handling filename extensions

[Mimedefang] best practices for handling filename extensions

6 matches

Site Navigation

Mail list logo

Footer information