[Esd-l] Mangled Extensions

John D. Hardin jhardin at impsec.org
Wed May 7 21:02:53 PDT 2003

On Wed, 7 May 2003, Scott Taylor wrote:

> Once again, and every time I upgrade, I get into the argument with
> the PHB's, well now I have it in writing and I need to allow some
> email addresses to attach .xls and .doc files with out defanging
> them.  I tried with adding the following recipe:
> :0
> *^From:.*<[a-z0-9]+ at blah.com>
> {
>   MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|dot|xl[wt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd]'
> }
> now an Excel attachment (.xls) from first.last at blah.com comes
> through defanged, maybe it's the '.' between the first and last
> names in the email address, or am I going about this totally
> wrong?

Are you sure their mailer puts angle brackets around the address?
Take a look at a sample message to make sure.

It might be safer to check the Return-Path: header.

Also, don't forget to escape the period.

* ^(From|Return-Path):.*<[a-z0-9_]+ at blah\.com>

