[Esd-l] NOTICE: you probably should add *.CPL to yourpoison list

Thu May 6 11:27:24 PDT 2004

On Thursday, May 06, 2004 9:15 AM, John D. Hardin wrote:
> On Wed, 5 May 2004, Rob Landry wrote:
>
> > Given that the wormmongers seem to be putting arbitrary suffixes
> > on their payloads to get around filters such as Sanitizer, might
> > it be time to switch to a system whereby all attachments are
> > disallowed except those bearing an allowable suffix (.doc, .exe,
> > .pdf, .mp3, etc)?
>
> You can do this by setting your $MANGLE_EXTENSIONS thusly:
>
> MANGLE_EXTENSIONS='((?!(?:jpg|gif|txt|mp3))[a-z0-9]+)|\{[-0-9a-f]+\}'
>

Careful -- This is a perl RE, but there is a non-perl instance in the 
sanitizer where $MANGLE_EXTENSIONS is used as part of a condition for 
a procmail recipe.  Not a major problem, just a small complication.

> Extend the list of acceptable extensions as desired.
>
> Note: I am still checking this against my set of test messages, but it
> appears to be working well. I might add some simple scripting to allow
> for a variable (maybe $ACCEPTABLE_EXTENSIONS) that, if present, would
> override the default $MANGLE_EXTENSIONS as described above. Then you'd
> be able to do something more friendly like:
>
>     ACCEPTABLE_EXTENSIONS="txt|jpe?g|gif|png|mp3|etc"
>
> Comments solicited.
>

Using a carefully chosen extension whitelist is a better security 
model than using an extension blacklist.  Unfortunately, people will 
be faced with deciding to whitelist an extension because they were 
asked to do so and because they couldn't find any reason not to.  The 
trouble is, proving to yourself that something is safe is harder than 
proving that it is hazardous.  And concluding that an extension is 
safe today doesn't mean that it will remain safe tomorrow.  

I suspect publishing and maintaining an all-inclusive whitelist 
that people could reference would be much more difficult than 
continuing to maintain a blacklist of extensions known to be 
suspicious.  So in that regard, blacklists are still useful and 
necessary in preventing people from making uninformed decisions.  

If a whitelist model is implemented, then the issue for me is whether 
people will manually crosscheck all their new whitelist candidates 
against a blacklist maintained on a website (and diligently recheck 
their whitelist every time the blacklist is updated), or whether the 
sanitizer should continue to provide a default (but configurable) 
blacklist that automatically overrides any local whitelist 
preferences.  Using both types of lists is probably overkill, but it 
would be erring on the side of safety and would provide more 
flexibility for local policy.

--Joe