filename rules inside of an archive

Michael Caplan worker at MOMPOPMEDIA.COM
Thu Sep 9 18:00:45 IST 2004


<x-flowed>
Hi Julian,

Thanks for the prompt answer.  While I agree with your interested in
avoiding unnecessary code bloat I'd like to try and bounce an argument
(sorry if it is a tried argument) of why such a feature is an important
one that benefits consideration.

With the servers I run, and I am sure this scenario plays out with many
other environments other than my own, it is important to deny certain
filenames in one scenario (a plain .exe attachment), bot not another (an
.exe zipped up).  It is agreed that an executable file is dangerous as a
plain attachment, but rolled into a zip, an .exe does not pose the same
threat.  Also, it comes up on many occasions that a client needs to
transmit an otherwise denied file as a legitimate attachment.

One option is deliberately renaming a file extension as a means to get
around this, but this creates a level of complexity for the user, and
also MailScanner attempts (as far as I understand) to isolate improperly
named files using the "file" command anyhow (invalidating this
approach).  This leaves no other solution other than turning off archive
filename checks with Maximum Archive Depth = 0.  This is not such a good
solution as it then opens up an insecure door (how many of you are
getting zips with malicious .pifs throughout the day?)

All said, I see two equally important scenarios in which different rule
sets should be applied to attachments and attached archives.

Or, perhaps I am looking at the problem wrong....?

Thanks,

Michael


Julian Field wrote:

> At 16:41 09/09/2004, you wrote:
>
>> Hi,
>>
>> I'm pretty new to MailScanner and its wonderful ways.  I hope this
>> question is not a tired one:
>>
>> I need to configure MailScanner so that it will check the contents of
>> all archives against filename.rules.conf (as it does by default), except
>> I need to make an exception for zip file contents.  In
>> filename.rules.conf I have .exe files banned.  I want to allow them to
>> pass in .zip files, provided that they pass my virus scanner (ClamAV).
>> For the time being I set Maximum Archive Depth = 0 in order to avoid
>> filename checks in Zips outright (a bad temp solution).  How would one
>> go about such a setup (if it is possible)?
>
>
> Sorry, the "Maximum Archive Depth=0" is the best solution. I contemplated
> adding a second entire set of filename and filetype rules, for checking
> against archive contents. However, it was agreed at the time that so few
> people would actually want to be able to do this that it would just add
> confusion without adding much extra useful functionality.
>
> I want to make MailScanner flexible, but if I add too much configuration
> then people just don't understand how to use it and the extra flexibility
> is never used. How many people know how to change the font used it "Ok"
> buttons in Xt applications? Yes, you can do it, someone may need to, but
> no-one ever does use the fine-grained configuration in X applications
> because it is too darned hard and no-one understands how it works.
>
> Also, more configuration options = more code to execute = slower :-(
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list