Phil Pennock wrote:
> The system_filter tricky-regexp-based content-type filtering turns out
> to be useless, thanks to Microsoft. :^(
Note: This bug (?!) is nothing new - it's a known issue for several
months.
Read the (NT)BugTraq Archives, especially postings from Vess (Bontchev),
Nick Fitzgerald and Eric Chien :)
> Pick a random unused extension. ".FOO" perhaps. Rename MS Office
> document "wibble.doc" to "wibble.foo". Email it. Association mechanism
> doesn't have a mapping, but looks and sees that it's an MS Office
> document so starts Office anyway, and gives it the document.
Blocking for extensions does not make sense imho in case of office
documents or mp3 files. You can simply rename it (a .rtf may not be a
real RTF file, or even worse a real RTF file can contain a "binary"
object, i.e. a exe file or a word document!). Blocking for a file type
is a better approach, but interestingly on my system file -i
<starofficedocument> shows application/ms-word (or ms-office), you need
a recent file version for this (IIRC 3.28 / 3.30 or later).
Blocking for file names (i.e. i-love-you-whatever) has a drawback, too.
A worm can easily rename the file every time (worms with some kind of
polymorphism are nothing new).
You may read
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=11152
for some more details.
Just my 0.02 euro :)
best regards,
Rainer Link
--
Rainer Link | Member of Virus Help Munich (
www.vhm.haitec.de)
rainer@??? | Developer of A Mail Virus Scanner (amavis.org)
link@??? | Founder of Linux AntiVirus Project (lavp.sourceforge.net)
