MIME Banned File WTF



  • Okay, so at my day job I am working on consolidating some servers and because of this I am required to request new IP addresses for a box from our hosting provider. Part of the requisite for getting these IP addresses is that I need to prove that they are for a valid purpose; in my case, for hosting SSL versions of the respective websites. As such, I was asked to attach the public certificate file in e-mail, which I did - as a .txt file with no special encoding. The following is the response that my Google Apps domain received from this provider:

    Technical details of permanent failure: 
    Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting
    the other email provider for further information about the cause of this error.  The error that the other server 
    returned was: 550 550 5.7.0 mime_banned_file - File attachment is not allowed because they are dangerous 
    to send via email. You may zip the file and  resend it. List of banned files: 
    http://office.microsoft.com/en-us/outlook/HA012299521033.aspx (state 18).

    WTF #1: Banning .txt files that have no special encoding - i.e., it's not an executable that was renamed,

    WTF #2: Offering an alternative to sending the "banned" files, simply by compressing them into an archive.



  • Copypasta from that page:

    Outlook does not block documents that have the following file name extensions: .xls, .doc, .ppt, and .txt.

    Looks like that provider is TRWTF.



  • That is kinda funny... it says it's banned based on mime type, but it's not looking at mime type, it's looking at file extensions. Simple solution - change the file extension to .zip and tell your recipient to change it back.



  • I think I have you beat. Several years ago in response to the Apost worm (http://www.f-secure.com/v-descs/readme.shtml), our IT dept blocked any file attachments with a filename that began with "as". Now the paylod for this particular worm is a PE executable called readme.exe, and executables were already blocked. But since the email containing the worm had a subject line of "As per your request!", they went ahead and blocked any attachmenst that began with "as", including any files inside of zip archives.

    They never did understand why their scheme wasn't helping anything.



  • If it is a text file why not just put the contents into the message body?



  • The message looks like it was an .aspx file that was blocked, not a .txt file. Am I missing something that would make the OP make sense?



  •  Why not make a screenshot of it, print it, put it on a wooden table, make a picture of it and attach that to the mail? Surely no provider blocks image attachments?



  • @jasmine2501 said:

    That is kinda funny... it says it's banned based on mime type, but it's not looking at mime type, it's looking at file extensions. Simple solution - change the file extension to .zip and tell your recipient to change it back.

    Or...don't give it an extension?



  • @Scarlet Manuka said:

    The message looks like it was an .aspx file that was blocked, not a .txt file. Am I missing something that would make the OP make sense?

    Re-read it. The .aspx extension is part of the web address where the list of banned extensions can be found, the name of the file that was rejected is not mentioned at all.


  • Discourse touched me in a no-no place

    @mallard said:

    the name of the file that was rejected is not mentioned at all.
    The extension of the file was mentioned.



  • Weak!



  • @PJH said:

    @mallard said:
    the name of the file that was rejected is not mentioned at all.
    The extension of the file was mentioned.

    Not in the error message.



  • @jasmine2501 said:

    That is kinda funny... it says it's banned based on mime type, but it's not looking at mime type, it's looking at file extensions. Simple solution - change the file extension to .zip and tell your recipient to change it back.

    Because this is a business critical request, I just can't bring myself to trust that these people are smart enough to follow simple instructions, such as "rename the files to .txt". It's just quicker and easier for me to comply and actually archive them.

    @SlyEcho said:

    If it is a text file why not just put the contents into the message body?

    I tried that originally, but these people apparently were not competent enough to have noticed.

    @pbean said:

     Why not make a screenshot of it, print it, put it on a wooden table, make a picture of it and attach that to the mail? Surely no provider blocks image attachments?

    If this weren't business related, and business critical, I definitely would consider doing that. I did reply back to them to attach the zip file of the text files with the server-generated error message in the e-mail. I doubt, however, that they will notice my passive-aggressive attempt to tell them that their system is a WTF.



  • TRWTF is having to send your provider a copy of anything just to get another IP address. What you do with that IP is none of their damned business unless you end up doing something nefarious with it but then there's procedures to handle that. There's plenty of competitive hosting providers out there, the only thing I would send them would be any prerequisites to terminate the account after shopping for another.



  • @error_NoError said:

    TRWTF is having to send your provider a copy of anything just to get another IP address. What you do with that IP is none of their damned business unless you end up doing something nefarious with it but then there's procedures to handle that. There's plenty of competitive hosting providers out there, the only thing I would send them would be any prerequisites to terminate the account after shopping for another.

    Amazon'll give you an IP for like... $0.01 a day.



  • @error_NoError said:

    TRWTF is having to send your provider a copy of anything just to get another IP address. What you do with that IP is none of their damned business unless you end up doing something nefarious with it but then there's procedures to handle that. There's plenty of competitive hosting providers out there, the only thing I would send them would be any prerequisites to terminate the account after shopping for another.

    Sometimes it's just better to bite the bullet and comply. In this case, there is no security implication, and aside of having to re-send the e-mail a second time, it is less of a hassle than having to shop for another provider, get that provider approved by the PtB (Powers-that-be), and migrating all systems over to the new provider (assuming approval was granted).

    As for why they do it; I can sort of understand. IPv4 addresses are becoming scarce, and because this provider deals with virtualization (yes, this is the first time that I've specifically mentioned this), I could see their pool of available addresses being limited.



  • @error_NoError said:

    TRWTF is having to send your provider...
    You do realise IPv4-addresses are running out? If we want another (or larger) subnet, we have to answer the same kind of questions: What are you going to do with it?



  •  TRWTF is needing another IP address for HTTPS.



  • @immibis said:

    TRWTF is needing another IP address for HTTPS.

    Because... you can have multiple secure websites on the same IP address?...



  • @dohpaz42 said:

    As for why they do it; I can sort of understand. IPv4 addresses are becoming scarce, and because this provider deals with virtualization (yes, this is the first time that I've specifically mentioned this), I could see their pool of available addresses being limited.


    Sounds totally like my favourite provider (green color scheme)... except that I'm quite sure they are not running Exchange as their email server. If you were trying to contact those... are you sure the error doesn't come from your own company's firewall?
    Edit: Missed the Google Apps part.



  • @Sutherlands said:

    @immibis said:

    TRWTF is needing another IP address for HTTPS.

    Because... you can have multiple secure websites on the same IP address?...

    The standard* Apache/mod_ssl does not support multiple SSL hosts on the same IP address, unless you use different ports for each host. This is because mod_ssl does not receive the Host header sent during the HTTP request, and thus can only determine a configuration based on the IP address.

    * There is supposedly a patch, and also another module, that does add support for this. I admit that I did not do any heavy research, but a) I do not want to have to take on the burden of maintaining my own version of mod_ssl, and I do not want to add the burden of using a module that I am not familiar with.



  • @dohpaz42 said:

    @Sutherlands said:

    @immibis said:

    TRWTF is needing another IP address for HTTPS.

    Because... you can have multiple secure websites on the same IP address?...

    The standard* Apache/mod_ssl does not support multiple SSL hosts on the same IP address, unless you use different ports for each host. This is because mod_ssl does not receive the Host header sent during the HTTP request, and thus can only determine a configuration based on the IP address.

    * There is supposedly a patch, and also another module, that does add support for this. I admit that I did not do any heavy research, but a) I do not want to have to take on the burden of maintaining my own version of mod_ssl, and I do not want to add the burden of using a module that I am not familiar with.

    Exactly.  Adding an IP is normal for adding a website.


  • @Sutherlands said:

    @dohpaz42 said:

    @Sutherlands said:

    @immibis said:

    TRWTF is needing another IP address for HTTPS.

    Because... you can have multiple secure websites on the same IP address?...

    The standard* Apache/mod_ssl does not support multiple SSL hosts on the same IP address, unless you use different ports for each host. This is because mod_ssl does not receive the Host header sent during the HTTP request, and thus can only determine a configuration based on the IP address.

    * There is supposedly a patch, and also another module, that does add support for this. I admit that I did not do any heavy research, but a) I do not want to have to take on the burden of maintaining my own version of mod_ssl, and I do not want to add the burden of using a module that I am not familiar with.

    Exactly.  Adding an IP is normal for adding a website.

    Gotcha. I think that I misread your reply's intent and went the other way with my reply. I would love to reduce my need for one-off IP addresses. But, I prefer a non-hackish way to do. I guess on the plus side, I can also put each non-SSL domain that needs SSL on that one IP and at least separate out their mail stuff to avoid blacklisting all domains because of one dick.



  • @dohpaz42 said:

    The standard* Apache/mod_ssl does not support multiple SSL hosts on the same IP address, unless you use different ports for each host. This is because mod_ssl does not receive the Host header sent during the HTTP request, and thus can only determine a configuration based on the IP address.

    * There is supposedly a patch, and also another module, that does add support for this. I admit that I did not do any heavy research, but a) I do not want to have to take on the burden of maintaining my own version of mod_ssl, and I do not want to add the burden of using a module that I am not familiar with.

    As a note: you can use the standard mod-ssl and name based vhosts with ssl on the same IP as long as the vhosts are on the same domain (e.g. example.com&www.example.com on one vhost and m.example.com on another vhost) and the certificate is valid for all the vhost domains. Currently the first encountered SSL config will be used but this behaviour might change in the future.



  • @pnieuwkamp said:

    @error_NoError said:

    TRWTF is having to send your provider...
    You do realise IPv4-addresses are running out? If we want another (or larger) subnet, we have to answer the same kind of questions: What are you going to do with it?

    Yes and like most other scarce items, the prices are rising to reflect this. I could see if they were handing out the additional IPs for free or if you were requesting blocks of IPs. But if you're purchasing it/them there should be a ToS or some sort of contract attached and as long as you're using it/them in a manner allowed by their terms, exactly how you're using it is NOTDB. At most you should be able to tell them for SSL and that should be good enough, you shouldn't have to send them anything to prove it. What's next, they want your account passwords so they can verify that you really do have an additional SSL site configured?

    Speaking of IPs, I was at an AT&T wireless store the other day and noticed that they had every computer and printer labeled with what looked like public IP addresses. Do they really have a public IP for every networked device in all of their stores?! Or do they just have some custom IP networking setup going that allows them to use a public IPs internally?



  • @dohpaz42 said:

    @Sutherlands said:

    @immibis said:

    TRWTF is needing another IP address for HTTPS.

    Because... you can have multiple secure websites on the same IP address?...

    The standard* Apache/mod_ssl does not support multiple SSL hosts on the same IP address, unless you use different ports for each host. This is because mod_ssl does not receive the Host header sent during the HTTP request, and thus can only determine a configuration based on the IP address.

    * There is supposedly a patch, and also another module, that does add support for this. I admit that I did not do any heavy research, but a) I do not want to have to take on the burden of maintaining my own version of mod_ssl, and I do not want to add the burden of using a module that I am not familiar with.

     

    Which is, in itself, an Apache WTF as support for named hosts was written into the TLS standard.

     



  • @error_NoError said:

    Speaking of IPs, I was at an AT&T wireless store the other day and noticed that they had every computer and printer labeled with what looked like public IP addresses. Do they really have a public IP for every networked device in all of their stores?! Or do they just have some custom IP networking setup going that allows them to use a public IPs internally?

    What address ranges?

    The following are all private ranges:

    10.0.0.0 – 10.255.255.255

    172.16.0.0 – 172.31.255.255

    192.168.0.0 – 192.168.255.255

    People tend to forget about the 172 range.

     



  • @powerlord said:

    Which is, in itself, an Apache WTF as support for named hosts was written into the TLS standard.


    Erm? You can have SNI in Apache with the alternative SSL module. Problem is that older IE (nor older versions of other browsers, and there are people who don't upgrade their Firefox etc. either) does not support SNI, and remember that goal of a websie, especially a commercial website, is to reach to the max amount of viewers. So, they need IP-based SSL.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.