On 7/3/2021 1:44 PM, Kenneth Porter wrote:
On 7/2/2021 6:39 PM, Kevin A. McGrail wrote:
Anyone know if this is delivered via email? I'm trying to make sure I
block the payload if it is.
I found a copy of the repo and see that it works by adding an evil
printer driver to the remote server over an IP connection. So email is
a vector if you allow executable attachments (including scripts).
I use MIMEDefang (a "milter" run from the MTA during message
acceptance) to block lots of extensions for all but a couple trusted
recipients. I quarantine zip files, although MD can check inside those
recursively for evil extensions. (MD also runs ClamAV and SpamAssassin
and I have it set to reject mail with a score of 10 or more.)
Thank you to many who replied on and off list. I did NOT find a sample
of anything except the repo exploit so hopefully it's not in the wild.
And Ken, I love MIMEDefang and use it as well. Appriver and Zix donated
it to the McGrail Foundation (mcgrail.com) and the svn version has some
fixes and is stable.
DFS is also working on MailMunge which fixes a lot of the code design
she hates bringing a more modern filter structure to the concept.
With MIMEDefang, we do block a lot of extensions and we've published our
filter to do it before. Under "Attachment Help" at
https://raptoremailsecurity.com/documentation you'll find the list and
the rationale. Very good, real-world experience filtering gazillions of
emails using this list.
Regards,
KAM
--
Kevin A. McGrail
[email protected]
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
