That's a very good warning indeed! Perhaps blocking .doc files with a
zip-like file structure is in order? I can't think of a legitimate
reason to use the old extension on the new file format.
On 8/10/2016 9:28 AM, Larry Starr wrote:
On Tuesday, August 09, 2016 18:01:57 Rob McEwen wrote:
> On 8/9/2016 5:56 PM, Anthony Hoppe wrote:
> > Here are the headers as an example:
> > http://pastebin.com/bnU0npLR
> > This particular email has a macro-enabled Word document attached,
but I
> > don't want to assume this will be the case every time.
> > Any tips/tricks/suggestions would be greatly appreciated!
>
> I think there is a trend now... towards blocking ALL .docm files (if
> not, there should be!). I think it is EXTREMELY rare for normal human
> beings to send Word documents in that particularly dangerous format.
> Most would be send in .doc or .docx format.
>
> I'm not sure if there is already a SA rule for scoring against .docm
> files attachments? Perhaps someone else could help you with that.
Just a short warning, although word will not open a .docm that is
renamed to .docx, it will open a .docm renamed to .doc.
I found this the hard way!
It is necessary, if you wish to be safe from macro enabled documents
to verify that the file is what the attachment's extension claims to be.
--
Larry Starr
Software Engineer
Full Compass Systems
9770 Silicon Prairie Pkwy
Madison, WI 53593-8442
P: 608-831-7330 x1347
F: 608-831-6330
E: lar...@fullcompass.com
