Scanning of fragmented messages

Jim Holland mailscanner at MANGO.ZW
Sat Jul 16 17:25:42 IST 2005


Hi Julian

I am currently using MailScanner 4.40.11-1.

I have always set "Allow Partial Messages = no" in MailScanner.conf due to
the obvious potential vulnerability if a virus is split between partial
messages.  However I had not realised that this option results in the
message parts being silently quarantined with no notice to recipient.  I
don't think that is the most desirable response as the vast majority of
fragmented messages are generated by people using Microsoft software that
is wrongly configured to split messages - often with some silly value such
as 60 KB.

I had naively thought that the following entry in 
still_deliver_silent_viruses.rules would overcome this problem:

Virus:          /Fragmented.messages/                   yes

but of course it does not do what I assumed it would - deliver the message
with just a warning that the contents have been archived.

Could I request the following update where partial messages are set to be
blocked: When a message is found that is of type "message/partial" then
the contents are replaced with a warning to state that the message body
has been deleted as it is fragmented, and listing the usual quarantine
location in case the user really wants the bits.  This caters for all
those people who insist on splitting their messages by unthinkingly
ticking the split message option in their MUA.  Even better would be
checking for the "number=" line in the header, eg:

Content-Type: message/partial;
        total=150;
        id="01C583F8.7ED65170 at your-9dl6yfn7yi";
        number=2

and if the number is not 1 then ignore it as before.  That saves the 
recipient from receiving 150 notices when someone finds that the message 
size limit on our mail server is 1.5 MB so decides to split their 10 MB 
message into a couple of hundred bits.

Any alternative suggestions would also be most appreciated.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list