[Esa-l] Recognizing Microsoft executable attachments

Bjarni R. Einarsson bre at netverjar.is
Thu Aug 16 09:13:13 PDT 2001

On 2001-08-16, 10:23:01 (-0500), Karl.Dunn at vmic.com wrote:
> Is this idea way off target (surely it's not new)?  Opinions?

This idea is very good, as far as it goes.  Using filename extensions
is pretty inaccurate - but unfortunately not all file types have
recognizable signatures either.  

For example, old .COM executables have no recognizable signatures.  In
fact, careful coding can create .COM files which look like text files
(like the EICAR test string/program).

> I much better like John's idea of moving to rejecting all but what we deem
> safe, instead of accepting everything except what we deem dangerous.  He
> mentioned that some time ago I think.

This is what I'm currently doing in my code.  Unfortunately, I'm doing
it based on filename extension and a bit on MIME type.  The problem
remains, how do you know that something dangerous isn't "masquerading"
as something safe?

Again, file type signatures would be very useful here - possibly more
so than when recognizing dangerous content, since it's more likely
that many formats on the (relatively small) list of safe file formats
will have recognizable signatures - with notable exceptions such as
plain text.

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list