Discussion:
[Mimedefang] best practices for handling filename extensions
Michael Fox
2017-10-05 04:41:34 UTC
Permalink
I'm looking to understand best practices with regard to rejecting filename
extensions.



The example provided in /usr/share/doc/mimedefang shows a very long list of
extensions to be rejected. I know some hosted mail providers don't allow
.exe. It annoys me but I just change the extension and it goes through.
And I know that some providers don't allow .zip. So folks using those
providers just change it to .piz and it goes through.



I presume this is, indeed, a little safer, since the recipient has to take
an extra step to change the extension. And, presumably, they would only do
that if they knew what they were getting. But I wonder if that's just the
appearance of additional security or if it's a true improvement.



So, what do the folks here with much more experience than I do, and why?



Thanks much,

Michael




_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Mark Coetser
2017-10-05 12:04:59 UTC
Permalink
Post by Michael Fox
I'm looking to understand best practices with regard to rejecting filename
extensions.
The example provided in /usr/share/doc/mimedefang shows a very long list of
extensions to be rejected. I know some hosted mail providers don't allow
.exe. It annoys me but I just change the extension and it goes through.
And I know that some providers don't allow .zip. So folks using those
providers just change it to .piz and it goes through.
I presume this is, indeed, a little safer, since the recipient has to take
an extra step to change the extension. And, presumably, they would only do
that if they knew what they were getting. But I wonder if that's just the
appearance of additional security or if it's a true improvement.
So, what do the folks here with much more experience than I do, and why?
Thanks much,
Michael
Pretty sure the filetype matching is done by checking the actual mime
type of the file not just what the file extension is, so just renaming
the file will still not allow the file through.


Thank you,

Mark Adrian Coetser
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpeng
Dianne Skoll
2017-10-05 13:27:22 UTC
Permalink
On Thu, 5 Oct 2017 14:04:59 +0200
Post by Mark Coetser
Pretty sure the filetype matching is done by checking the actual mime
type of the file not just what the file extension is, so just
renaming the file will still not allow the file through.
The sample filter doesn't do that; it only looks at the actual filename.
Some people have written code that probes the file to figure out the MIME
type, but that code's not part of the MIMEDefang distribution.

Regards,

Dianne.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefa
Bill Cole
2017-10-05 13:31:04 UTC
Permalink
Post by Mark Coetser
Pretty sure the filetype matching is done by checking the actual mime
type of the file not just what the file extension is, so just renaming
the file will still not allow the file through.
The file "examples/suggested-minimum-filter-for-windows-clients" in the
source distribution which is the ancestor of many users'
/etc/mail/mimedefang-filter matches by filename extension only. This
actually makes sense for Windows clients, where (at least historically)
the filename extension is the only indicator known to the OS of what the
filetype is.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists
Michael Fox
2017-10-06 15:07:16 UTC
Permalink
-----Original Message-----
I am mainly not blocking by filename extensions, but by content. I am
Thanks Frank. Very helpful ideas.

Michael


_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefa

Loading...