"Sauer, Damon" <Damon(_dot_)Sauer(_at_)bellsouth(_dot_)com> wrote:
Our mail systems do not allow 36 directly executable attachment types and
it has not hindered our business one flea speck. We have not been infected
by a single email virus since Melissa that can be traced back through our
email gateways.
i.e. It's really not that hard to figure out.
The magic words that were used was "directly executable", to me meaning
that there is no user action that has to take place for the code to be
executed.
RFC 2183, Section 5 "Security Considerations"
...
In general, the receiving MUA should not name or place the file
such that it will get interpreted or executed without the user
explicitly initiating the action.
...
August, 1997. They were warned. They still did it wrong.
We therefore do not allow any directly executable code without it being
zipped, gzipped, tar's, stuffed, extension renamed, or any other action that
will "safe" it and not allow it to run unopposed.
All of these are hacks to get around broken MUA's, which have
explictly chosen to ignore the "Security Considerations" sections of
the relevant RFC's.
I'm expecting that any new method of fighting problems related to
email will have similar horrid implementations, which will make the
problem worse.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg