Scanning of fragmented messages

Jim Holland mailscanner at MANGO.ZW
Sat Jul 16 17:34:44 IST 2005


Hi again Julian

My apologies.  I seem to have made only a selective check of the logs.  It 
seems that the most recent fragmented message was quarantined and not 
delivered, but earlier examples were quarantined and the empty message 
delivered with the warning message, exactly as requested below.

I have looked more closely at the logs and found that the fragmented
message had been found in an RBL and that was the reason it was not
delivered.

Sorry to waste your time.

Regards

Jim Holland

On Sat, 16 Jul 2005, Jim Holland wrote:

> Date: Sat, 16 Jul 2005 18:25:42 +0200 (CAT)
> From: Jim Holland <mailscanner at mango.zw>
> To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> Subject: Scanning of fragmented messages
> 
> Hi Julian
> 
> I am currently using MailScanner 4.40.11-1.
> 
> I have always set "Allow Partial Messages = no" in MailScanner.conf due to
> the obvious potential vulnerability if a virus is split between partial
> messages.  However I had not realised that this option results in the
> message parts being silently quarantined with no notice to recipient.  I
> don't think that is the most desirable response as the vast majority of
> fragmented messages are generated by people using Microsoft software that
> is wrongly configured to split messages - often with some silly value such
> as 60 KB.
> 
> I had naively thought that the following entry in 
> still_deliver_silent_viruses.rules would overcome this problem:
> 
> Virus:          /Fragmented.messages/                   yes
> 
> but of course it does not do what I assumed it would - deliver the message
> with just a warning that the contents have been archived.
> 
> Could I request the following update where partial messages are set to be
> blocked: When a message is found that is of type "message/partial" then
> the contents are replaced with a warning to state that the message body
> has been deleted as it is fragmented, and listing the usual quarantine
> location in case the user really wants the bits.  This caters for all
> those people who insist on splitting their messages by unthinkingly
> ticking the split message option in their MUA.  Even better would be
> checking for the "number=" line in the header, eg:
> 
> Content-Type: message/partial;
>         total=150;
>         id="01C583F8.7ED65170 at your-9dl6yfn7yi";
>         number=2
> 
> and if the number is not 1 then ignore it as before.  That saves the 
> recipient from receiving 150 notices when someone finds that the message 
> size limit on our mail server is 1.5 MB so decides to split their 10 MB 
> message into a couple of hundred bits.
> 
> Any alternative suggestions would also be most appreciated.
> 
> Regards
> 
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
> 
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list