Zero-length attachments
Antony Stone
Antony at SOFT-SOLUTIONS.CO.UK
Wed Oct 1 20:32:20 IST 2003
On Wednesday 01 October 2003 7:59 pm, Kevin Spicer wrote:
> On Wed, 2003-10-01 at 19:42, Antony Stone wrote:
> >If the option is set at "Yes" then Zero-size attachments bypass the
> >filename, filetype and virus checks (the latter two for efficiency, because
> >there's nothing to bother checking).
>
> no they should still be blocked, because...
>
> a) its gives the impression of inconsistency
> b) zero byte files could be used in nuisance social enginering attacks
> ("please copy the attached updated file - vimportant.dll into
> C:\windows\system32, love from Microsoft")
> c) Files appearing to get through the filter could send some managers
> into a flurry of panic thinking something has gone wrong, causing them
> not to trust MailScanner.
> d) Odds are there is something suspect about any mail with a zero byte
> attachment.
Actually, I disagree with (a), because complaining about an .exe file which
isn't there seems ridiculous to man users - better to say nothing because
there's nothing to say it about.
(b) is a good point, so maybe there should be the option to add a message
saying the attachment was "removed" and anything else in the original email
should be regarded with suspicion, etc....
(c) was in fact my reason for raising the suggestion in the first place. An
attachment called Qph.exe which gets past the anti-virus check can trigger
alarm, and too many people don't check to see that it's actually zero bytes
in size. Maybe the best solution is to remove the "attachment" so as to
eliminate both causes for alarm, but I think it's not good for people to see
"Executable files can be dangerous" when in fact there's nothing there...
(d) goes both ways, I think. Many users are capable of attaching files
which end up as zero-length by mistake, so it wouldn't be good to assume that
all examples are malicious or should be totally eliminated.
I'd still like to see some MailScanner option for treating zero-size
attachments differently from "real" ones.
Regards,
Antony.
--
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.
- Damian Conway, Perl God
More information about the MailScanner
mailing list