On 7/3/2021 1:44 PM, Kenneth Porter wrote:
> On 7/2/2021 6:39 PM, Kevin A. McGrail wrote:
>> Anyone know if this is delivered via email? I'm trying to make sure I
>> block the payload if it is.
>
> I found a copy of the repo and see that it works by adding an evil
> printer driver to the remote server over an IP connection. So email is
> a vector if you allow executable attachments (including scripts).
>
> I use MIMEDefang (a "milter" run from the MTA during message
> acceptance) to block lots of extensions for all but a couple trusted
> recipients. I quarantine zip files, although MD can check inside those
> recursively for evil extensions. (MD also runs ClamAV and SpamAssassin
> and I have it set to reject mail with a score of 10 or more.)
Thank you to many who replied on and off list. I did NOT find a sample
of anything except the repo exploit so hopefully it's not in the wild.
And Ken, I love MIMEDefang and use it as well. Appriver and Zix donated
it to the McGrail Foundation (mcgrail.com) and the svn version has some
fixes and is stable.
DFS is also working on MailMunge which fixes a lot of the code design
she hates bringing a more modern filter structure to the concept.
With MIMEDefang, we do block a lot of extensions and we've published our
filter to do it before. Under "Attachment Help" at
https://raptoremailsecurity.com/documentation you'll find the list and
the rationale. Very good, real-world experience filtering gazillions of
emails using this list.
Regards,
KAM
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171