2009-09-02

Quickpost : pdf filtering email gateway

Back from this summer break, I am heading back at my notes to write new posts. This one will be small and will not contain code as it is only to share an idea I had: writing a PDF filtering email gateway.

This idea came up after reading two posts : nonop's one and fred 's one. In the first one, nonop bring the idea of filtering for malicious PDF on the email gateway in order to protect enterprise's end-users and the second one is dealing with PDF filtering using origami. So putting one and one together, I ended up with the idea of creating a filter for postfix, based on origami.

After a quick look in postfix's documentation about how to create a filtering extensions, I saw that they are simply smtp-proxies. As origami is coded in ruby and it is only a PoC, I choosed rmailfilter as a base for the proxy. Due to a lack of free time I didn't go beyond this point, but by looking at rmailfilter it shouldn't be difficult to implement.

My idea was to filter out (or tag) PDF files,
  • containing javascript --> this should remove most of known vulnerabilities and future ones
  • using unusual features
  • containing shellcodes
It seems to be a good idea but their are some limitations:
  • people are not going to install ruby on their email gateway ;)
  • as stated in fred's post, scanning big files can be really long
  • what if you missed an unusual tag ?
  • what if some functionalities were required by the end-users?
This is the end of this quickpost. The next one should be dealing with firefox extensions.

No comments:

Post a Comment