| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060106194340.GA12344@melpomene.jschipper.dynalias.net> Date: Fri Jan 6 19:44:00 2006 From: j.schipper at math.uu.nl (Joachim Schipper) Subject: WMFs blocked with MIME On Thu, Jan 05, 2006 at 01:35:36PM -0000, lsi wrote: > Preliminary testing reveals that emails containing WMF files can be > blocked by filtering for the MIME-encoded WMF header. This approach > works even if the file is called WORD.DOC. The string to check for > is: > > 183GmgAA > > These 8 bytes appear as the first 8 bytes of a MIME-encoded WMF. > Thus, blocking all emails with those bytes in will block all emails > containing WMFs. > > This technique can be used with common spam filters. > > Regarding web-based WMFs, of the three browsers on this system, only > IE knows what to do with WMFs. Fortunately, I don't use IE. This > is, however, one more reason I can use to convince my customers to > dump it. That depends entirely on what 'MIME encoding' is. Base64? UUencode? BinHex? Quoted-printable? This is not to say that it is a bad point, and it can be useful as a simplistic filter. But it is not more than that - even if you manage to find patterns for all the above, there are numerous compression methods that can be used. Joachim
Powered by blists - more mailing lists