Kenneth Porter wrote:
--On Monday, September 11, 2006 8:12 AM -0700 "John D. Hardin"
<[EMAIL PROTECTED]> wrote:
Maybe we need a base rule for URL links directly to executable
content...
MIMEDefang rejects content with executable extensions. The list of
extensions is configurable. (.com is a pain because it also appears in
domain names which are commonly used as part of filenames, like "report
on my domain example.com.doc".)
In this case, though, it's not an attachment, so MD won't reject it.
It's an ordinary link in an HTML part to the offending file:
<a href="http://server/path/to/evil/file">Blah blah</a>
It doesn't even have to be in HTML. It could be a URL in a plaintext
email, and many clients will convert it to a clickable URL:
http://server/path/to/evil/file
In fact, if you're retrieving content over the web, the link doesn't
even have to tell you the double extension. The link could be to a
redirect script, or to a download script that provides a
content-disposition header:
http://server/path/to/evil/but/innocuous/looking/file
--
Kelson Vibber
SpeedGate Communications <www.speed.net>