Reviving an old idea about renaming forbidden extensions

Thu Jan 9 20:20:19 GMT 2003

Good idea. I'll take a look, but no promises.

At 20:13 09/01/2003, you wrote:
>Almost a year ago (Jan 2002), I sent a mail to Julian with the following
>suggestion:
>
> >I would like to make the following suggestion with regards to
> >'forbidden extensions'. There are currently two options: ban them if
> >they're on the list, or allow them if they do not contain a virus.
> >How about a third option: rename the file (if it does not contain a
> >known virus, of course) to make it not immediately executable, for
> >instance by replacing .ext with ~ext and adding an explanatory line
> >like 'MailScanner changed filename.pif to filename~pif to prevent
> >immediate execution; shortcuts to (&etc) are dangerous, so be very
> >cautious about renaming the file and executing it.' Or something
> >like that. Some people actually send virus-free files with .pif and
> >.reg extension through our servers ... they're not too happy ..
>
>I implemented the .exe restriction about three days ago, and the sun
>doesn't shine anymore over here. I had to let it go, even though I'm fully
>opposed to sending directly executable content through email. Lots of users
>(mainly businesses in our case) were severely hindered by this restriction,
>and even though I'm as BOFH as they come, frustrating clients' mailflow is
>not on my priority list (well, not in the top 10 at the moment).
>
>I do see the need to 'treat' extensions like 'exe' though, and adding the
>'rewrite' option (and the proposed functionality) to the
>filenames.rules.conf would be the best of both worlds. For example,
>renaming an attachment from file.exe to file.~exe or file.exe~ (the latter
>sounds easier, you can anchor to $) would a) show the original extension on
>'platforms' that have a tendency to hide them (happily exploited by the
>virus.jpg.scr type virus) b) leave the file untouched, but you have to
>actively rename and execute it to run it. Of course, MailScanner will
>include a warning and a short explanation as to why and how. Best of both
>worlds, it seems. People get their files, and they can't say they weren't
>informed about the risks.
>
>Of course, the primary goal is to intercept new viruses that are not in the
>DAT files yet (or at least to inform recipients of that possibility), but
>maintaining the lowest level of impact regarding those who have to send
>this kind of content using email. I may even start ordering MailScanner
>goodies.
>
>--
>- Ben C. O. Grimm ----------------- Ben.Grimm at wirehub.net -
>- Wirehub! Internet Engineering - http://www.wirehub.net/ -
>- Private Ponderings ----------- http://www.bengrimm.net/ -
>- Wirehub! Internet ----------- part of easynet Group plc -

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support