On 05/10/2017 06:41, Michael Fox wrote:
I'm looking to understand best practices with regard to rejecting filename
extensions.
The example provided in /usr/share/doc/mimedefang shows a very long list of
extensions to be rejected. I know some hosted mail providers don't allow
.exe. It annoys me but I just change the extension and it goes through.
And I know that some providers don't allow .zip. So folks using those
providers just change it to .piz and it goes through.
I presume this is, indeed, a little safer, since the recipient has to take
an extra step to change the extension. And, presumably, they would only do
that if they knew what they were getting. But I wonder if that's just the
appearance of additional security or if it's a true improvement.
So, what do the folks here with much more experience than I do, and why?
Thanks much,
Michael
Pretty sure the filetype matching is done by checking the actual mime
type of the file not just what the file extension is, so just renaming
the file will still not allow the file through.
Thank you,
Mark Adrian Coetser
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
