Re: Spoofed Domain

Wed, 10 Aug 2016 06:37:35 -0700 

That is what I'm doing here.
Rather than attempting that with SA, I wrote a MimeDefang routine to 
interrogate the "Magic" 
number of any office document, blocking all macro enabled documents, and any 
document that 
was renamed so that the Magic number does not match the extension ( I don't 
care if these are 
Macro enabled or not, there is no legitimate reason to rename them ).

On Wednesday, August 10, 2016 09:31:21 Joe Quinn wrote:


    
That's a very good warning indeed!      Perhaps blocking .doc files with a 
zip-like file structure is in      
order? I can't think of a legitimate reason to use the old      extension on 
the new file format.            
On 8/10/2016 9:28 AM, Larry Starr wrote:        
                  
      
On Tuesday, August 09, 2016 18:01:57 Rob        McEwen wrote:      
> On 8/9/2016 5:56 PM, Anthony Hoppe        wrote:      
> > Here are the headers as an example:      
> > http://pastebin.com/bnU0npLR[1]      
> > This particular email has a        macro-enabled Word document attached, 
> > but I      
> > don't want to assume this will be        the case every time.      
> > Any tips/tricks/suggestions would        be greatly appreciated!      
>       
> I think there is a trend now... towards        blocking ALL .docm files (if   
>    
> not, there should be!). I think it is        EXTREMELY rare for normal human  
>     
> beings to send Word documents in that        particularly dangerous format.   
>    
> Most would be send in .doc or .docx        format.      
>       
> I'm not sure if there is already a SA        rule for scoring against .docm   
>    
> files attachments? Perhaps someone else        could help you with that.      
      
Just a short warning, although word will not        open a .docm that is 
renamed to .docx, it will 
open a .docm        renamed to .doc.      
      
I found this the hard way!       
      
It is necessary, if you wish to be safe from        macro enabled documents to 
verify that the file is 
what the        attachment's extension claims to be.      
      
--       
Larry Starr      
Software Engineer      
Full Compass Systems      
9770 Silicon Prairie Pkwy      
Madison, WI 53593-8442      
P: 608-831-7330 x1347      
F: 608-831-6330      
E: lar...@fullcompass.com[2]      
          


-- 
Larry Starr
Software Engineer
Full Compass Systems
9770 Silicon Prairie Pkwy
Madison, WI 53593-8442
P: 608-831-7330 x1347
F: 608-831-6330
E: lar...@fullcompass.com


--------
[1] http://pastebin.com/bnU0npLR
[2] mailto:lar...@fullcompass.com

Reply via email to