 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Jan-2008 | Next-Thread | Next-Msg |
| Subject: | Re: (SOLVED) Re: Customize to filter attachment ? |
| Group: | Postfix-users |
| From: | Kurt Buff |
| Date: | 24 Jan 2008 |
http://www.asspsmtp.org/wiki/Dangerous_attachments
explains what most of those file types are, if anyone cares to know,
and may include (I haven't made a comparison) a few that aren't on
this list.
Kurt
On Jan 24, 2008 1:06 PM, Noel Jones <njones> wrote:
> MrC wrote:
> >
> >
> > Noel Jones wrote:
> >> Victor Duchovni wrote:
> >>> On Thu, Jan 24, 2008 at 02:37:59PM +0700, Truong Tan Son wrote:
> >>>
> >>
> >> Here again is the expression I've posted several times in the past.
> >> This includes all the extensions that Windows treats as "executable".
> >> (Note that Office documents can embed executables, and many other
> >> extensions auto-launch the registered program. But these extensions
> >> are executed directly, so are most dangerous).
> >>
> >> # block windows executables PCRE
> >> # the funky 'xdigit' expression is to catch Windows CLSID's
> >> /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
> >> ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
> >> hlp|ht[at]|
> >> inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
> >> \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
> >> ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
> >> vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
> >> REJECT Attachment name "$2" may not end with ".$4"
> >>
> >
> > Since we're going the whole nine yards, here are a few other
> > considerations:
> >
> > + Consider also asd|app|ani|cur|ico|emf|fxp|grp|mda|ocx|prg|wmf
>
> Thanks. My list originally came from
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
> which has apparently been updated sometime in the last 5
> years. I don't know that wmf belongs there (it's not executed
> directly), but I won't argue as it's been an attack vector in
> the past.
>
> > + Add app, and group adp, asp, app into a[dps]p
> > + Add mda and mdz into md[abetwz]
> > + Add prg and group prf and prg into pr[fg]
> > + Group com and chm into c[oh]m
> > + Group bas and bat into ba[st]
> > + Group inf and ins into in[fs]
> >
>
> I intentionally didn't group some of these so that users could
> easily see which extensions were blocked without having to
> parse regexp. Also makes it easier for a user to remove a
> specific extension from the list. But I'm lazy and didn't
> ungroup them all.
>
> > The updated expression is:
> >
> > # block windows executables PCRE
> > # the funky 'xdigit' expression is to catch Windows CLSID's
> > /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
> > ade|a[dps]p|asd|ani|ba[st]|c[ho]m|cmd|cpl|crt|cur|dll|emf|exe|
> > fxp|grp|hlp|ht[at]|
> > ico|in[fs]|isp|jse?|lnk|md[abetwz]|ms[cipt]|nws|
> > \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
> > ocx|ops|pcd|pif|pr[fg]|reg|sc[frt]|sh[bsm]|swf|
> > vb[esx]?|vxd|wmf|ws[cfh]))(\?=)?"?\s*(;|$)/x
> > REJECT Attachment name "$2" may not end with ".$4"
> >
> > MrC
>
> I don't actually use this anymore - it's still in my
> mime_header_checks, but commented out. My attachment blocking
> is done in amavisd-new for the last couple years. Hope
> someone tests this before it gets slurped into a man page
> forever and ever. ;-)
>
>
> --
> Noel Jones
>
| Prev-Msg | Prev-Thread | Postfix-users | Jan-2008 | Next-Thread | Next-Msg |