[Mailman-Users] Are any attachments ok to allow on a listserv?

Stephen J. Turnbull stephen at xemacs.org
Tue Jan 18 04:42:38 CET 2011 

Mark Sapiro writes:

 > >Other people think pdfs are ok (except some are too big for old  machines to donwload).
 > >
 > >I also heard that a virus file could take on a fake extention, like .pdf, and fool people.
 > 
 > As far as fake extensions/MIME types are concerned, it is entirely
 > possible to put malware in a text/plain part with a .txt extension.
 > The question is what will the MUA or the file manager do with that
 > file when you try to open it. In other words, if the virus comes with
 > a faked benign extension, it is unlikely that the application that
 > opens the file will actually execute the viral code.

Unfortunately, this is false.  One of the reasons that Windows has a
bad security rep as a workstation OS is that firewalls would decide on
the basis of MIME Content-Type or file name extension that a file was
harmless, IE would decide it couldn't handle it internally and pass it
on to some other program, which would look not at the alleged file
type but at the file's magic, which indicates that it's executable
(either natively or via an interpreter), and then execute it.  Boom! 
you're owned.

All known holes of this type have been closed, of course, but AFAIK
Windows still operates in the above way, so new holes could open at
any time as new programs are registered for various files types.  Once
those are discovered, the white hats will target them, so the
probability that some of your users will get caught by an unclosed
hole is pretty high.  This kind of feature is becoming more common in
Unix-like systems too.

 > I'm not saying one should be complacent.

Indeed.  Despite the above, I would advocate slight paranoia in most
cases, not total Fear and Loathing.

 > I would recommend not allowing anything but plain text and perhaps
 > a few carefully considered image and/or PDF types if the list's
 > purpose requires it on a list with open subscription. On the other
 > hand, if the list is closed and you know the members, you might be
 > safe with no content filtering at all.

Sounds good to me.

More information about the Mailman-Users mailing list