[Mailman-Users] Content Filtering Scrubs PDF Attachment

[Brad Knowles]

On 7/20/07, Fitzpatrick, Ted wrote:

>  Thanks, Mark. The MUA is including "application/octet-stream" as the
>  mime type.

Gack.

>              I didn't include this as passable because I wanted to strip
>  ".exe" files from messages.

Perfectly reasonable.

>                               It looks like if I want to enable
>  subscribers to attach PDF files, it will at the same time enable them to
>  attach EXE files.

Not necessarily.  You could allow application/octet-stream as an 
allowed MIME type, while allowing only certain file extension types. 
However, this does widen the hole for attackers to try to get through.

>                     From the security perspective, do most Mailman admins
>  let EXE files pass?

It depends greatly on the particular list and the site.  Most of the 
sites/lists I help administer (including python.org, where the 
mailman-users list is hosted) will explicitly reject EXE and all the 
other known major executable file extensions, as well as blocking 
application/octet-stream, and only allow through certain MIME types 
that are considered to be reasonably safe.

However, do keep in mind that spammers have recently latched onto the 
fact that most people do seem to let *.PDF files through, although 
I'm not sure what MIME type these messages are being tagged with.  If 
you allow application/octet-stream and *.PDF through your lists, this 
may also open a much wider hole for spammers to go after.

-- 
Brad Knowles <brad at shub-internet.org>, Consultant & Author
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Slides from Invited Talks: <http://tinyurl.com/tj6q4>

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0