[Esd-l] question on poisoning of file
DMarois at zoom-media.com
Thu Apr 18 07:32:00 PDT 2002
I have a question regarding the poisoned file. I tried a few things this
morning and I saw some files get through the sanitizer even if their
extension was in the poisoned list.
First I wanted to test the double extension and I sent myself a dummy file
named test.yxz.xya from another account and I received the file without even
the sanitizer seeing it (I checked in the log and no attachment were seen)
But test.pps.ppt and test.abc.exe was poisoned.
Next I tried a .wav that I blocked a while ago and again it went through
I also did a check with a regular .exe file and this one got poisoned.
I then add *.jpg in the poisoned list just to test the sanitizer and the
test got through unpoisoned.
I am a little surprised, I always tought that whatever I put in the poisoned
list will get poisoned.
I did some more testing and I found that all the poisoned names I put
without any wild card are fine but putting something line *.jpg or *.wav do
not work. However, the *.com and *.exe works ?!
All my tests were sent from a outlook 2000 in regular plain text format.
Does this have something to do with the way outlook encode the attachment
when it knows (or don't) the extension?
I find it strange that the sanitizer will not see some attachments like the
test.yxz.yxz and see others
thanks for any insight, and a BIG thanks for John for this incredible piece
I am running the sanitizer 1.333 on a redhat 7
with parts of the latest poisoning file,
procmail v3.14 and sendmail v8.11.0
dmarois at zoom-media.com
More information about the esd-l