Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: [inbox] Re: Re: E-Mail viruses
From: psz () maths usyd edu au (Paul Szabo)
Date: Sat, 6 Mar 2004 08:18:27 +1100 (EST)

Curt Purdy <purdy () tecman com> wrote:

An alternative is to allow only a proprietary extension through,
like .inc.  Legitimate senders would rename the file, be it .exe
.doc .jpg, indicate in the body of the message what the true
extension is, and the receiver merely renames it.

Only the proprietary extension, i.e. .inc or .xyz or .whatever,
would be allowed through, and since virus writers would never use
this extension, it would eliminate ALL viruses at the gateway.
The nice thing about this approach is that it completely eliminates
the need for any anti-virus on the mail server since all virus
attachments are automatically dropped without the need for scanning.
Quite a simple, yet elegant solution, if I do say so myself.

Yes, it eliminates a large class of viruses. But, it would not do
anything to "local" attacks (a virus modified specifically to handle
your particular setup; and if it becomes widely used then "real"
viruses will also do the same).

Also it does nothing to viruses that do not use attachments: attacks
on a "Subject:" buffer overflow, or a virus delivery via the web with
a link or "Content-type: message/external-body".

Also you might miss some attachments: "uuencoded block"s, or those
within incomplete "Content-type: message/partial" bits.

Within those limitations, it is a great idea to keep an organization
free from "common" attacks.


Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]