kadlecblackhole.kfki.hu

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 23 Dec 2000, Bennett Todd wrote:

> My preference on what to do with matches reflects my goals and
> limitations: I want something very simple to maintain that'll catch
> just about everything in the class of interest, which means it'll
> have some false positives too. And the only thing I'm trying to
> protect against is users being messed up by the email program
> automatically executing content. So when I do get a match, I go
> ahead and send it on to the user, after disabling it so the
> "attachment" won't be recognized by the email client. I do this by
> quoting the entire message, headers and all, with "> ", and slapping
> on a new header.

I'm thinking something similar: replace the dot in the filename with
another non-alphanumeric character, for example '?' or '!'. Automatic
content-execution won't be possible either. There is no need for a new
header and the message won't be enlarged at all. And it is easier for the
users to save the attachments (false positives).

It could even be done by extended body checking:

/etc/postfix/main.cf:

body_check = /etc/postfix/not_completely_ok.pcre

/etc/postfix/not_completely_ok.pcre:
# Using your pattern in multiline for readability:
^(Content-(?:Type|Disposition): (?:.|\n\s)*(?:file)?\
  name=("?)[^"]+)\.((hta|js|jse|shs|vbe|vbs|wsf|wsh)\2) REPLACE ${1}!{$3}

But it would require a little patch against the cleanup daemon and
it would mean that an MTA is poking directly with the message content :-(.

Best regards,
Jozsef
-
E-mail : kadlecblackhole.kfki.hu, kadlecsunserv.kfki.hu
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]