On 7/20/07, Fitzpatrick, Ted wrote: > Thanks, Mark. The MUA is including "application/octet-stream" as the > mime type.
Gack. > I didn't include this as passable because I wanted to strip > ".exe" files from messages. Perfectly reasonable. > It looks like if I want to enable > subscribers to attach PDF files, it will at the same time enable them to > attach EXE files. Not necessarily. You could allow application/octet-stream as an allowed MIME type, while allowing only certain file extension types. However, this does widen the hole for attackers to try to get through. > From the security perspective, do most Mailman admins > let EXE files pass? It depends greatly on the particular list and the site. Most of the sites/lists I help administer (including python.org, where the mailman-users list is hosted) will explicitly reject EXE and all the other known major executable file extensions, as well as blocking application/octet-stream, and only allow through certain MIME types that are considered to be reasonably safe. However, do keep in mind that spammers have recently latched onto the fact that most people do seem to let *.PDF files through, although I'm not sure what MIME type these messages are being tagged with. If you allow application/octet-stream and *.PDF through your lists, this may also open a much wider hole for spammers to go after. -- Brad Knowles <[EMAIL PROTECTED]>, Consultant & Author LinkedIn Profile: <http://tinyurl.com/y8kpxu> Slides from Invited Talks: <http://tinyurl.com/tj6q4> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
