filename rules questioned
mikea
mikea at MIKEA.ATH.CX
Mon Apr 21 12:43:17 IST 2003
On Mon, Apr 21, 2003 at 07:15:03AM -0400, Steve Campbell wrote:
> Folks,
>
> We occasionally get complaints from users about harmless enclosures in email
> they send or receive being deleted by MailScanner's filename.rules.conf
> mechanism. Especially in a college environment like ours, we need to weigh the
> risk of allowing enclosures through against the likelihood of false positives
> and the resulting interference with legitimate enclosures.
>
> So my question is, is there any documented (not just anecdotal) evidence to
> justify the blocking of enclosures with certain filenames as specified by
> filename.rules.conf?
Hi, all. First post to the list. Be gentle.
Certainly there is as regards the executables (.exe, .bat, .com, .pif,
.scr, and the like): those have been 100% worm/virus at my day job.
The "iframe" tag is used in both malicious and benign mail; I strip it
out because I can't tell the nature of the mail fast enough and well
enough to justify the effort of that determination.
I have considerable problems with benign files which had names of the
form "a.b.c.d.e.f.doc", where a, b, c, d, e, and f are multicharacter
strings. I work for a state highway department, and our design and
engineering folks commonly use multi-part names to describe the
project a file is related to. Moreover, the Feds and other state
government agencies, both in this state and in other states, do the
same. This has meant that I spend a half hour or so every day pulling
and forwarding quarantined files; thank $DEITY for smbfs, which lets
me copy them directly from a file on the MailScanner box to a file on
the WIN-2K box.
A _benefit_ of this activity is that the users are kept aware that we
are scanning their mail for nasty things, but I'm about to the point
of modifying the rules to not quarantine files of the form "*.wpd",
"*.doc", and "*.pdf", and trust the second-level antivirus code that
Lotus Notes invokes to catch anything with a name of that form.
--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin since 1964
More information about the MailScanner
mailing list