From owner-freebsd-security Tue Dec 4 20:37: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from c007.snv.cp.net (c007-h013.c007.snv.cp.net [209.228.33.220]) by hub.freebsd.org (Postfix) with SMTP id C061037B416 for ; Tue, 4 Dec 2001 20:36:59 -0800 (PST) Received: (cpmta 23520 invoked from network); 4 Dec 2001 20:36:58 -0800 Received: from 64.195.103.89 (HELO boethius.telocity.com) by smtp.telocity.com (209.228.33.220) with SMTP; 4 Dec 2001 20:36:58 -0800 X-Sent: 5 Dec 2001 04:36:58 GMT Received: by boethius.telocity.com (Postfix, from userid 1000) id 4726122CE; Tue, 4 Dec 2001 22:36:58 -0600 (CST) Date: Tue, 4 Dec 2001 22:36:58 -0600 From: Anthony Kim To: Alfred Perlstein Cc: Landon Stewart , freebsd-security@freebsd.org Subject: Re: block double suffix attachments? Re: Mail list is posting gone virus!!!! Message-ID: <20011205043658.GA33571@boethius.telocity.com> Mail-Followup-To: Alfred Perlstein , Landon Stewart , freebsd-security@freebsd.org References: <01d701c17d10$a8b334b0$0001300a@lhtech.lhtek.com> <4.3.2.7.2.20011204172959.04d112e0@localhost> <5.1.0.14.2.20011204193019.05f01c18@mail.Go2France.com> <20011204194431.E92148@elvis.mu.org> <20011205021654.GA31554@boethius.telocity.com> <3C0D8959.5080500@uniserve.com> <20011204214810.G92148@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011204214810.G92148@elvis.mu.org> User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Dec 04, 2001, Alfred Perlstein wrote: > * Landon Stewart [011204 20:41] wrote: > > > > > For an idea, Eudora (eudora.com) has a somewhat comprehensive > > list of attachments that generate warnings when someone tries > > to open them. They keep this list updated and make it an > > updatable part of their mail client. > > > > This list would give someone a good start as to what to block > > for extensions. > > Since this is a security list I'm going to repeat myself one > last time. Take a deep breath Alfred. > It's a LOT better to have allow(list)->deny(*) than > deny(list)->allow(*). Ever notice how as the viruses keep > coming they keep mutating the extentions? A deny->allow will > not work to stop those before it is too late. One should > observe similar precautions when doing other such ACLs, take > for instance file permissions, would it make sense to list a > file as: > > deny access to this file from web-dev group allow all others > access. > > or allow access to this file from eng and eng-mgmt deny from > all others. Alfred is correct of course. In most contexts, this is a sound policy. I believe Landon and I crossed contexts however in implying that in business, the dropping of all attachments is typically found to be unacceptable, therefore one hopes to perform due diligence with the next best thing. For my company and companies like mine, deny(list)->allow(*) for mail is an acceptable risk. Surely, I should have made the contextual distinction clearer. So let's end this off topic discussion. -- "Le motd juste." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message