[Esd-l] Mangled Extensions
John D. Hardin
jhardin at impsec.org
Wed May 7 21:02:53 PDT 2003
On Wed, 7 May 2003, Scott Taylor wrote:
> Once again, and every time I upgrade, I get into the argument with
> the PHB's, well now I have it in writing and I need to allow some
> email addresses to attach .xls and .doc files with out defanging
> them. I tried with adding the following recipe:
>
> :0
> *^From:.*<[a-z0-9]+ at blah.com>
> {
> MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|dot|xl[wt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd]'
> }
>
> now an Excel attachment (.xls) from first.last at blah.com comes
> through defanged, maybe it's the '.' between the first and last
> names in the email address, or am I going about this totally
> wrong?
Are you sure their mailer puts angle brackets around the address?
Take a look at a sample message to make sure.
It might be safer to check the Return-Path: header.
Also, don't forget to escape the period.
:0
* ^(From|Return-Path):.*<[a-z0-9_]+ at blah\.com>
{
etc.
}
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...voice or no voice, the people can always be brought to the bidding
of the leaders. That is easy. All you have to do is tell them they
are being attacked and denounce the pacifists for lack of patriotism
and exposing the country to danger. It works the same way in any
country.
-- Hermann Goering
-----------------------------------------------------------------------
8 days until The Matrix Reloaded
More information about the esd-l
mailing list