Ruth Indeck wrote:

Many people say that the best thing is not to allow attachments at all on a listserv.

Please see the FAQ at <http://wiki.list.org/display/DOC/Mailman+is+not+Listserv>.

Other people think pdfs are ok (except some are too big for old machines to donwload).

I also heard that a virus file could take on a fake extention, like .pdf, and fool people.

I have heard that there were vulnerabilities in some PDF readers that could be exploited with malicious PDFs, but I don't know how big a risk this is.

As far as fake extensions/MIME types are concerned, it is entirely possible to put malware in a text/plain part with a .txt extension. The question is what will the MUA or the file manager do with that file when you try to open it. In other words, if the virus comes with a faked benign extension, it is unlikely that the application that opens the file will actually execute the viral code.

I'm not saying one should be complacent. I would recommend not allowing anything but plain text and perhaps a few carefully considered image and/or PDF types if the list's purpose requires it on a list with open subscription. On the other hand, if the list is closed and you know the members, you might be safe with no content filtering at all.

Others may have additional or conflicting opinions.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

-----Original Message----- From: mailman-users-bounces+s.watkins=nhm.ac.uk@python.org [mailto:mailman-users-bounces+s.watkins=nhm.ac.uk@python.org] On Behalf Of Ruth Indeck Sent: Monday, January 17, 2011 3:52 PM To: Mailman Users Subject: [Mailman-Users] Are any attachments ok to allow on a listserv?

Many people say that the best thing is not to allow attachments at all on a listserv.

So you get a list with.. let's say 100 users on. Sounds reasonable, right? One of those users just 'has to share' a 'great PDF' that they found on the environmental effects of mining cheese off the north face of Donald Duck and so posts it to the list.

Let's say that the PDF is a "reasonable size" of.. 3 megs?

3 megs in.. times 100 (subscribers) = 300 megs out. OK, if you've got a fast line but it may slow things down a little if you haven't.

Now, let's say that one of the receivers of the original email decides to reply to that email. Users being the general bundles of light and joy that they are known to be don't necessarily think to strip off any attachments when they forward.. Oh.. and let's go full-on Armageddon-scenario and say that this particular user also ADDS their own pdf file (again 3mb) as a response.

Now you got an email with two 3meg files comes into your list.. for distribution to 100 users.

Boom! There goes the neighbourhood! :)

OK.. Maybe a bit over the top "doomsday scenario" but it is still reasonably possible.

Now imagine being the poor sap on the end of a slow line trying to get their email and having to wait while you clean out their mailbox with the original email (3mb) and the reply (6mb)... *yawn* this email's taking forever!

I'd personally disallow any attachments unless it was specifically stated in the list's description that they were "allowed and to be expected". If the list users must share files/content then they can always just put in their email a URL pointing to the resource. That way you also reduce the chance/risk of a virus/piece of malware sneaking in as the end user's web-browser should (hopefully) do some form of content-vetting/virus-scanning/BL checking beforehand.

Of course, YMMV.

Steff