Date: Tue, 4 Dec 2001 21:48:10 -0600 From: Alfred Perlstein <bright@mu.org> To: Landon Stewart <landons@uniserve.com> Cc: Anthony Kim <niceshorts@yahoo.com>, freebsd-security@freebsd.org Subject: Re: block double suffix attachments? Re: Mail list is posting gone virus!!!! Message-ID: <20011204214810.G92148@elvis.mu.org> In-Reply-To: <3C0D8959.5080500@uniserve.com>; from landons@uniserve.com on Tue, Dec 04, 2001 at 06:41:29PM -0800 References: <01d701c17d10$a8b334b0$0001300a@lhtech.lhtek.com> <C1EC3AA970F8D311BA4D0050BAB07BA870491B@nhex1101.cologic.co.nz> <4.3.2.7.2.20011204172959.04d112e0@localhost> <5.1.0.14.2.20011204193019.05f01c18@mail.Go2France.com> <20011204194431.E92148@elvis.mu.org> <20011205021654.GA31554@boethius.telocity.com> <3C0D8959.5080500@uniserve.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Landon Stewart <landons@uniserve.com> [011204 20:41] wrote:
> Anthony Kim wrote:
>
> >and .Z
> >
> >You've got to consider, people send all sorts of weird filenames.
> >mtr.c.patch or ncurses.ru.uu or bill_me.c.diff or
> >BSD.include.dist - you get the idea.
> >
> >At work we focus on the AV recommended most wanted, .pif, .exe.,
> >.vbs, .scr, .shs, but this list is getting longer and longer :(
> >
> For an idea, Eudora (eudora.com) has a somewhat comprehensive list of
> attachments that generate warnings when someone tries to open them.
> They keep this list updated and make it an updatable part of their mail
> client.
>
> This list would give someone a good start as to what to block for
> extensions.
Since this is a security list I'm going to repeat myself one last
time.
It's a LOT better to have allow(list)->deny(*) than deny(list)->allow(*).
Ever notice how as the viruses keep coming they keep mutating the
extentions? A deny->allow will not work to stop those before it
is too late. One should observe similar precautions when doing other
such ACLs, take for instance file permissions, would it make sense
to list a file as:
deny access to this file from web-dev group
allow all others access.
or
allow access to this file from eng and eng-mgmt
deny from all others.
--
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
start asking why software is ignoring 30 years of accumulated wisdom.'
http://www.morons.org/rants/gpl-harmful.php3
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011204214810.G92148>