On 11/5/2013 1:56 PM, David F. SkollAnd wrote:
On Tue, 05 Nov 2013 13:30:17 -0500
"Kevin A. McGrail" <[email protected]> wrote:
3 - Has anyone written description of all the extensions and a short
what/why description? If not, I'll take a pass at it. (example
below).
The bad filename extension list in the default MIMEDefang filter is
old, crufty, unmaintained, and most likely way too aggressive.
It's not really THAT bad but I agree it needs at a minimum some
documentation. The #1 and #2 issues I usually see is exe's and wmz's.
The exe's are about 50% of the time malware payloads so that policy
makes sense. The WMZ there is legitimate ways to exploit that format
though I've rarely seen it in the wild. I could argue it both wsays.
I obtained it from some MSFT knowledgebase article, the origin of which
is lost in the mists of time.
If someone would like to patch the sample filter to have a saner list,
I'll gladly take the patch.
I think the list is not bad, like I said. In practice, I like it.
I'll work on documenting the extensions that are blocked and if any need
to come off.
Right now, for example, vcs is blocked and I can't find a reason it
should be blocked.
And .MIM should be blocked - Apparently we had real exploits from years
ago (2004?). Looks tied to winzip and this announcement
http://www.winzip.com/fmwz90.htm
Anyway, I expect the patch to be 99% documentation and 1% changing
extensions.
Regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
