This idea came up after reading two posts : nonop's one and fred 's one. In the first one, nonop bring the idea of filtering for malicious PDF on the email gateway in order to protect enterprise's end-users and the second one is dealing with PDF filtering using origami. So putting one and one together, I ended up with the idea of creating a filter for postfix, based on origami.
After a quick look in postfix's documentation about how to create a filtering extensions, I saw that they are simply smtp-proxies. As origami is coded in ruby and it is only a PoC, I choosed rmailfilter as a base for the proxy. Due to a lack of free time I didn't go beyond this point, but by looking at rmailfilter it shouldn't be difficult to implement.
My idea was to filter out (or tag) PDF files,
- containing javascript --> this should remove most of known vulnerabilities and future ones
- using unusual features
- containing shellcodes
- people are not going to install ruby on their email gateway ;)
- as stated in fred's post, scanning big files can be really long
- what if you missed an unusual tag ?
- what if some functionalities were required by the end-users?
No comments:
Post a Comment