[Esd-l] Whitelist instead of blacklist for attachment names

John D. Hardin jhardin at impsec.org
Tue Jul 16 21:44:01 PDT 2002


On 15 Jul 2002, Kenneth Porter wrote:

> In firewall design one typically sets a default policy of dropping
> all but a few specified connection types. How about doing the same
> with email attachment names? This should be far easier to police
> than the evolving poisoned filename list.
> 
> Attachments with malformed names should be rejected immediately,
> on the assumption that they're malicious.
> 
> To start, it would be nice to log a list of attachment names over
> time on the gateway, to get a representative sample of the kinds
> of legitimate attachments that are seen.

I agree. That would be a fairly major rewrite of the sanitizer logic,
and if I'm going to do that thenI may as well make the logic as
customizable as possible.

Have you had a look at the development documents showing where I want
to go with the sanitizer? What you suggest would look something like:

  *.(gif|jpg|jpeg|png)    A
  *.txt                   A
  *.zip                   A
  *                       DL

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
   311 days until The Matrix Reloaded



More information about the esd-l mailing list