Jim Witte wrote:
I would argue that if one wants to block EXE files - fine - but block
them by looking for the base-64 encoded 'TVq' signature of EXE files
(the 'MZ' signature when encoded). The current policy of blocking a
great many different attachments, not only makes it more difficult for
people who do want to send legitimate attachments (but not too much - I
just remove the extension), if adopted on a large-scale (which I doubt
it will be),
It's already implemented in a very large scale. .scr, .pif, etc. Many
of those have no business in email anyway.
Note also that while the TVq et.al. signatures are _very_ useful, they
don't do the whole job. Ie: zip'd .exe. TVq (and the two other
rotations of Base64'd "MZ") helps, but (a) you have to make the
signature a lot longer than "TVq", and (b) zip file name lengths can
push the (longer) signature over a Base64 line boundary, and filtering
abruptly becomes a lot harder.
Once you've decided to nuke .exes in all forms, about the only
problematic attachment type that most people would be blocking would be
wav files (because of Klez). It's the only attachment type we get FPs
on. I should research whether the magic string check is sufficient.
such a "draconian" policy will push mal-ware-writers to
move to other ways of sending their worms - Word macro viruses, Excel
macro viruses, HTML with mal-ware JS and Java code, or whatever (there's
almost always another hole to exploit).
That's a little like telling everyone to take off their bullet-proof
vests because it'll just encourage poison gas.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg