Reviving an old idea about renaming forbidden extensions

Ben C. O. Grimm mailscanner-sub at WIREHUB.NET
Thu Jan 9 20:13:29 GMT 2003

Almost a year ago (Jan 2002), I sent a mail to Julian with the following

>I would like to make the following suggestion with regards to
>'forbidden extensions'. There are currently two options: ban them if
>they're on the list, or allow them if they do not contain a virus.
>How about a third option: rename the file (if it does not contain a
>known virus, of course) to make it not immediately executable, for
>instance by replacing .ext with ~ext and adding an explanatory line
>like 'MailScanner changed filename.pif to filename~pif to prevent
>immediate execution; shortcuts to (&etc) are dangerous, so be very
>cautious about renaming the file and executing it.' Or something
>like that. Some people actually send virus-free files with .pif and
>.reg extension through our servers ... they're not too happy ..

I implemented the .exe restriction about three days ago, and the sun
doesn't shine anymore over here. I had to let it go, even though I'm fully
opposed to sending directly executable content through email. Lots of users
(mainly businesses in our case) were severely hindered by this restriction,
and even though I'm as BOFH as they come, frustrating clients' mailflow is
not on my priority list (well, not in the top 10 at the moment).

I do see the need to 'treat' extensions like 'exe' though, and adding the
'rewrite' option (and the proposed functionality) to the
filenames.rules.conf would be the best of both worlds. For example,
renaming an attachment from file.exe to file.~exe or file.exe~ (the latter
sounds easier, you can anchor to $) would a) show the original extension on
'platforms' that have a tendency to hide them (happily exploited by the
virus.jpg.scr type virus) b) leave the file untouched, but you have to
actively rename and execute it to run it. Of course, MailScanner will
include a warning and a short explanation as to why and how. Best of both
worlds, it seems. People get their files, and they can't say they weren't
informed about the risks.

Of course, the primary goal is to intercept new viruses that are not in the
DAT files yet (or at least to inform recipients of that possibility), but
maintaining the lowest level of impact regarding those who have to send
this kind of content using email. I may even start ordering MailScanner

- Ben C. O. Grimm ----------------- Ben.Grimm at -
- Wirehub! Internet Engineering - -
- Private Ponderings ----------- -
- Wirehub! Internet ----------- part of easynet Group plc -

More information about the MailScanner mailing list