filename rules inside of an archive

Jeff Graves jeff at IMAGE-SRC.COM
Thu Sep 9 19:14:43 IST 2004 

Wow, I think you were reading my mind. I just ran into the same issue
this morning and was looking at options to work around it. I agree that
we don't want to bloat the code but to me, this seems like a glaringly
obvious feature that people would use. I don't see how you wouldn't need
it??? Rather than making an entire separate ruleset for checking
archives, how about an on/off toggle for archive filename/filetype
checking (this will keep the virus checking for archives).

Jeff Graves, MCSA
Customer Support Engineer
Image Source, Inc.
10 Mill Street
Bellingham, MA 02019

508.966.5200 - Phone
508.966.5170 - Fax
jeff at image-src.com - Email
www.image-src.com

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Michael Caplan
Sent: Thursday, September 09, 2004 1:01 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: filename rules inside of an archive


Hi Julian,

Thanks for the prompt answer.  While I agree with your interested in
avoiding unnecessary code bloat I'd like to try and bounce an argument
(sorry if it is a tried argument) of why such a feature is an important
one that benefits consideration.

With the servers I run, and I am sure this scenario plays out with many
other environments other than my own, it is important to deny certain
filenames in one scenario (a plain .exe attachment), bot not another (an
.exe zipped up).  It is agreed that an executable file is dangerous as a
plain attachment, but rolled into a zip, an .exe does not pose the same
threat.  Also, it comes up on many occasions that a client needs to
transmit an otherwise denied file as a legitimate attachment.

One option is deliberately renaming a file extension as a means to get
around this, but this creates a level of complexity for the user, and
also MailScanner attempts (as far as I understand) to isolate improperly
named files using the "file" command anyhow (invalidating this
approach).  This leaves no other solution other than turning off archive
filename checks with Maximum Archive Depth = 0.  This is not such a good
solution as it then opens up an insecure door (how many of you are
getting zips with malicious .pifs throughout the day?)

All said, I see two equally important scenarios in which different rule
sets should be applied to attachments and attached archives.

Or, perhaps I am looking at the problem wrong....?

Thanks,

Michael


Julian Field wrote:

> At 16:41 09/09/2004, you wrote:
>
>> Hi,
>>
>> I'm pretty new to MailScanner and its wonderful ways.  I hope this
>> question is not a tired one:
>>
>> I need to configure MailScanner so that it will check the contents of
>> all archives against filename.rules.conf (as it does by default),
except
>> I need to make an exception for zip file contents.  In
>> filename.rules.conf I have .exe files banned.  I want to allow them
to
>> pass in .zip files, provided that they pass my virus scanner
(ClamAV).
>> For the time being I set Maximum Archive Depth = 0 in order to avoid
>> filename checks in Zips outright (a bad temp solution).  How would
one
>> go about such a setup (if it is possible)?
>
>
> Sorry, the "Maximum Archive Depth=0" is the best solution. I
contemplated
> adding a second entire set of filename and filetype rules, for
checking
> against archive contents. However, it was agreed at the time that so
few
> people would actually want to be able to do this that it would just
add
> confusion without adding much extra useful functionality.
>
> I want to make MailScanner flexible, but if I add too much
configuration
> then people just don't understand how to use it and the extra
flexibility
> is never used. How many people know how to change the font used it
"Ok"
> buttons in Xt applications? Yes, you can do it, someone may need to,
but
> no-one ever does use the fine-grained configuration in X applications
> because it is too darned hard and no-one understands how it works.
>
> Also, more configuration options = more code to execute = slower :-(
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list