From owner-freebsd-security Tue Dec 4 19:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id E6C1A37B416 for ; Tue, 4 Dec 2001 19:48:15 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 6FB1981D01; Tue, 4 Dec 2001 21:48:10 -0600 (CST) Date: Tue, 4 Dec 2001 21:48:10 -0600 From: Alfred Perlstein To: Landon Stewart Cc: Anthony Kim , freebsd-security@freebsd.org Subject: Re: block double suffix attachments? Re: Mail list is posting gone virus!!!! Message-ID: <20011204214810.G92148@elvis.mu.org> References: <01d701c17d10$a8b334b0$0001300a@lhtech.lhtek.com> <4.3.2.7.2.20011204172959.04d112e0@localhost> <5.1.0.14.2.20011204193019.05f01c18@mail.Go2France.com> <20011204194431.E92148@elvis.mu.org> <20011205021654.GA31554@boethius.telocity.com> <3C0D8959.5080500@uniserve.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C0D8959.5080500@uniserve.com>; from landons@uniserve.com on Tue, Dec 04, 2001 at 06:41:29PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Landon Stewart [011204 20:41] wrote: > Anthony Kim wrote: > > >and .Z > > > >You've got to consider, people send all sorts of weird filenames. > >mtr.c.patch or ncurses.ru.uu or bill_me.c.diff or > >BSD.include.dist - you get the idea. > > > >At work we focus on the AV recommended most wanted, .pif, .exe., > >.vbs, .scr, .shs, but this list is getting longer and longer :( > > > For an idea, Eudora (eudora.com) has a somewhat comprehensive list of > attachments that generate warnings when someone tries to open them. > They keep this list updated and make it an updatable part of their mail > client. > > This list would give someone a good start as to what to block for > extensions. Since this is a security list I'm going to repeat myself one last time. It's a LOT better to have allow(list)->deny(*) than deny(list)->allow(*). Ever notice how as the viruses keep coming they keep mutating the extentions? A deny->allow will not work to stop those before it is too late. One should observe similar precautions when doing other such ACLs, take for instance file permissions, would it make sense to list a file as: deny access to this file from web-dev group allow all others access. or allow access to this file from eng and eng-mgmt deny from all others. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message