[Esd-l] NOTICE: you probably should add *.CPL to your poison list

Rick Thompson rthompson at rrmm.net
Thu May 6 06:56:52 PDT 2004

I think it would definitely be a great idea to have the option to disallow
by default, and use whitelisted extensions.  I've always subscribed that
particular methodology.

-----Original Message-----
From: esd-l-bounces at spconnect.com [mailto:esd-l-bounces at spconnect.com]On
Behalf Of John D. Hardin
Sent: Thursday, May 06, 2004 9:15 AM
To: Rob Landry
Cc: Email Security Discussion list
Subject: Re: [Esd-l] NOTICE: you probably should add *.CPL to your
poison list

On Wed, 5 May 2004, Rob Landry wrote:

> Given that the wormmongers seem to be putting arbitrary suffixes
> on their payloads to get around filters such as Sanitizer, might
> it be time to switch to a system whereby all attachments are
> disallowed except those bearing an allowable suffix (.doc, .exe,
> .pdf, .mp3, etc)?

You can do this by setting your $MANGLE_EXTENSIONS thusly:


Extend the list of acceptable extensions as desired.

Note: I am still checking this against my set of test messages, but it
appears to be working well. I might add some simple scripting to allow
for a variable (maybe $ACCEPTABLE_EXTENSIONS) that, if present, would
override the default $MANGLE_EXTENSIONS as described above. Then you'd
be able to do something more friendly like:


Comments solicited.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Bush? Kerry? I'm so sick of our elections always being "choose the
  lesser of two evils."
   180 days until the Presidential Election
Esd-l mailing list
Esd-l at spconnect.com

More information about the esd-l mailing list