Messages with blocked filenames/filetypes not being delivered

[Jim Holland]

Hi

Further to:

> I don't remember seeing banned filenames and filetypes being classified as
> silent in the previous version of MailScanner.  This will obviously lead
> to problems with legitimate attachments being blocked.  Is there any way
> to control this?  Could this be because with the latest version of
> MailScanner I have reverted from:
>
> Silent Viruses = HTML-IFrame HTML-Codebase HTML-Form All-Viruses Exploit.HTML.Bagle
>
> to the default:
>
> Silent Viruses = All-Viruses

I now see that messages that have a file with a long filename are silently
quarantined as well.  The report states:

MailScanner: Very long filenames are good signs of attacks against
Microsoft e-mail packages (trpix.gif%3F%26rdm.dat)

The actual filename turned out to be:

trpix.gif?&rdm=81382383&dlv=631,17573,112457,79531,476931&kid=79531&chw=979531-&tcs=&bls3=111000A&bls4=010004111147&uid=1&dmn=.dyn.iinet.net.au&scx=800&scy=600&scc=32&jav=1&sta=,,,1,,,,,,,0,0,0,8672,8648,8647,66,0&iid=112457&bid=476931

However there was nothing wrong with the rest of the message, so it was
something that should have been delivered without the suspicious file.

Should this now be explicitly listed in the still_deliver_silent_viruses.rules
file?  This then starts to make the rules rather more complex, as the file
will have to list specific viruses first as not to be delivered, then list
the specific filename and filetype warnings that should be delivered, and
then the default not to deliver.  I am sure that the earlier versions of
MailScanner did not require this.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).