Denying attachments

Glenn Steen glenn.steen at GMAIL.COM
Wed Dec 14 14:19:21 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On 14/12/05, Bahadir Kiziltan <b_kiziltan at hotmail.com> wrote:
> No, they're changed somehow before arriving to my MS.

As one could suspect. This means that the files are actually harmless
text files. Kind of pointless, to boot, but there it is... You're
"suffering" for someone elses dumbness:-).

> "Silent Viruses" directive has already been set as you suggested.

Since they're not viruses, this doesn't come into play.

> Can MS replace the infected files with the text content?

As said. Not really viruses;).

What you can do is either use postfix (via a body check, consult the
anti-UCE stuff at http://www.postfix.org) to drop the mails entirely,
or ... why not let SA handle them: set a huge spamscore on a rule
guaranteed to match them?

> >From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
> >Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: Denying attachments
> >Date: Tue, 13 Dec 2005 17:24:50 +0000
> >
> >Is it your MailScanner replacing the viruses with the text files, or
> >someone else's earlier in the mail path?
> >If it's your one doing it, then you probably just want to make sure you
> >have
> >Silent Viruses = All-Viruses
> >so that virus-infected messages are just quietly dropped.
> >
> >Bahadir Kiziltan wrote:
> >
> >>Hi,
> >>
> >>Using MailScanner version 4.47.4 with postfix, bitdefender, clamav and
> >>spam enabled on Fedora Core 4 box. Also monitoring and reporting via
> >>MailWatch. The results are incredible, at least for us.
> >>
> >>I have a minor issue in denying files attached to mail messages. All the
> >>files mentioned have zip extension sized below 1KB but actually they're
> >>text files with the following more or less the similar content.
> >>
> >>------
> >>Your attachment "mailtext.zip" contained viruses:
> >>         "W32.Sober.X at mm!zip",
> >>         and "W32.Sober.X at mm" at location "File-packed_dataInfo.exe
> >>It was deleted and replaced with this text file.
> >>------
> >>
> >>------
> >>Your attachment "downloadm.zip" contained viruses:
> >>         "W32.Sober.X at mm!zip",
> >>         and "W32.Sober.X at mm" at location "File-packed_dataInfo.exe
> >>It was deleted and replaced with this text file.
> >>------
> >>
> >>According to the maillog, such attachment comes to the MTA as is. Sure,
> >>not modified by MailScanner.
> >>
> >>Set the directive "Minimum Attachment Size" to 1024, they are all denied
> >>successfully but also with the "delivered and read" confirmation messages.
> >>
> >>What do you recommend in order to deny such file(s) more effectively?
> >>
> >>Thanks.
> >>Bahadir.
> >>
> >>------------------------ MailScanner list ------------------------
> >>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>'leave mailscanner' in the body of the email.
> >>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> >>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >>Support MailScanner development - buy the book off the website!
> >
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >Buy the MailScanner book at www.MailScanner.info/store
> >Professional Support Services at www.MailScanner.biz
> >MailScanner thanks transtec Computers for their support
> >
> >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content by MailScanner, and is
> >believed to be clean.
> >
> >------------------------ MailScanner list ------------------------
> >To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >'leave mailscanner' in the body of the email.
> >Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> >the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> >Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>


--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list