Quickpost : pdf filtering email gateway

Back from this summer break, I am heading back at my notes to write new posts. This one will be small and will not contain code as it is only to share an idea I had: writing a PDF filtering email gateway.

This idea came up after reading two posts : nonop's one and fred 's one. In the first one, nonop bring the idea of filtering for malicious PDF on the email gateway in order to protect enterprise's end-users and the second one is dealing with PDF filtering using origami. So putting one and one together, I ended up with the idea of creating a filter for postfix, based on origami.

After a quick look in postfix's documentation about how to create a filtering extensions, I saw that they are simply smtp-proxies. As origami is coded in ruby and it is only a PoC, I choosed rmailfilter as a base for the proxy. Due to a lack of free time I didn't go beyond this point, but by looking at rmailfilter it shouldn't be difficult to implement.

My idea was to filter out (or tag) PDF files,

• containing javascript --> this should remove most of known vulnerabilities and future ones
  
• using unusual features
• containing shellcodes
  

It seems to be a good idea but their are some limitations:

• people are not going to install ruby on their email gateway ;)
• as stated in fred's post, scanning big files can be really long
• what if you missed an unusual tag ?
• what if some functionalities were required by the end-users?

This is the end of this quickpost. The next one should be dealing with firefox extensions.