Messages with blocked filenames/filetypes not being delivered

Jim Holland mailscanner at MANGO.ZW
Tue Nov 2 20:44:14 GMT 2004 

Hi all

I have been using MailScanner since February this year, and have found it
an extraordinarily valuable package - thanks again, Julian.

I consider myself reasonably smart with its configuration, but must admit
to still having problems with really understanding the process flow (of
course one day I really must read the source!).  I find it difficult to be
able to determine in advance whether a particular message with problem
contents will be:

        (a) Bounced back to sender (desirable with non-forging viruses,
        MS Office macros viruses etc), and if so what message is
        being sent back to sender.

        (b) Delivered to the recipient after removal of blacklisted
        content (desirable with above non-forging viruses/MS Office
        macros viruses etc, with disarmed HTML, with unacceptable
        filenames/filetypes which are not detected as being actual
        viruses, with attachments or messages that are too large
        with password-protected zip files etc etc)

        (c) Quarantined and sent to no one.

With viruses it is reasonably clear what will happen, although the
definition of "All-Viruses" as used in the "Silent Viruses" definition
does not seem to be clearly spelt out - I assume that it means anything
that is found by the virus scanner (virus/worm/trojan/script/exploit etc)
plus password-protected zip files that are not detected as viruses.
The Silent Viruses option controls bounces to sender and the Still Deliver
Silent Viruses settings controls whether or not the messages are delivered
after removal of the problem attachment.  This behaviour is also modified
by the Non-Forging Viruses option.

The above settings can also be used to determine the response to HTML
exploits that are discovered.

However it is not immediately clear what happens when other problems are
found, eg messages with:

        Unacceptable filenames
        Unacceptable filetypes
        Password-protected zip files
        Messages that are too large
        Attachments that are too large

If the above are blocked, then is there a notification to the sender and/or
recipient?  How is that controlled?

What about messages where the html has been converted to text?  Is the
recipient notified?  I presume not.

I wonder if it is not time to think of a more unified system of rules, eg
a single "notification.conf" configuration file to specify actions to be
taken and warning messages to be used for different problem categories
classifed as "deny" in current config files.  Rulesets could be used if
required.  Sample lines might read:

# category              sender warning                  recipient warning
#
denied_filename:        sender.filename.report.txt      stored.filename.message.txt
silent_virus:           -                               -
%rules-dir%/messagesize.rules:  -                       messagesize.report.txt
spam:                   -                               -

If there was no warning listed then no notice would be sent.  Perhaps
additional fields could be added, eg for logging requirements.

There would also need to be a master ruleset to determine what to do if a
message contained one attachment to be silently quarantined and another to
be delivered to the recipient, and so on.  This approach would clearly
break some of the other configuration and rules files, but could be the
basis of a simpler system to understand and configure.  Is this of any
interest for further pursuit?

Now the reason for the above musings is that I have a problem that I can't
resolve!  I want to ensure that messages that are being saved to
quarantine because of banned filenames/filetypes/Password-protected zip
files but which are not found to contain any actual virus are delivered
without the offending files.  For some reason, since updating to
MailScanner-4.35.9-1 and removing the references to "Joke" in Non-Forging
Viruses and still_deliver_silent_viruses.rules, the system is not
delivering any notifications to recipients about any of the following:

        {Blocked Content}
        {Filename?}
        {Virus?}

The removal of the "Joke" entry has stopped all the virus warnings about
Worm.Bagle.AU etc, so that is fine.  (It was sending Joke.xxx files.)

The Blocked Content warnings have probably stopped because I changed the
settings for allowing HTML tags from "no" to "disarm", which is also fine.

However I am puzzled by the fact that a harmless .tmp file is now silently
quarantined instead of the message being delivered without the attachment
but with a warning.  Any suggestions as to where to look?

In MailScanner.conf I have set:

        Filename Rules = %rules-dir%/filename.rules

and filename.rules has the tab-delimited line:

        FromOrTo:       default      %etc-dir%/filename.rules.conf

and filename.rules.conf has the new defaults including:

        deny    \.tmp$          Dangerous Temporary File (according to \
Microsoft)      Dangerous attachment according to Microsoft Q883260

So I would expect the attachment to be removed and a warning message added.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list