Guess what.... 4.28.4
Julian Field
mailscanner at ecs.soton.ac.uk
Thu Mar 4 14:27:19 GMT 2004
At 14:13 04/03/2004, you wrote:
>Spicer, Kevin responded to Plant, Dean...
>
> > > [DP] But users are not notified of inbound password protected zips. With
> > > other blocked file types users are notified correctly.
> > >
> > > I also am unable to release any quarantined password protected zips
> > > from Mailwatch as it is marked as a virus and not a blocked file.
> > >
> > > Have I understood the Non-Forging setting correctly?
> >
> > [KS] That is what Julian suggested he might do for the next/ a future
> > release however that is not the behaviour yet
>
>I haven't tried this, but might the desired behaviour be approximated
>by using filetype checking to pick out ZIP files of version 1.0 (see
>previous discussion about MIT, etc.)? My file command (version 4.07)
>shows the following on one bad and one OK ZIP:
>
> Text.zip: Zip archive data, at least v1.0 to extract
> fine.zip: Zip archive data, at least v2.0 to extract
>
>(The first one's the Bagle virus.)
>
>A quick scan through the magic file shows that the ZIP line is the only
>place "v1.0" appears as an isolated word.
That won't work once the virus writers go up to version 2 which they will
as soon as they are being defeated by people testing only for version 1.
>Could one make a filetype entry like this
>
> deny " v1.0 " No v1.0 ZIP archives, possible Bagle ditto
>
>in filetype.rules.conf and use filetype checking to get these? It doesn't
>sound efficient, but might it work?
It might work for now, but not for very long.
Remember you are trying to hit a moving target.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
More information about the MailScanner
mailing list