Checking Suspected E-Mails

[Kaplan, Andrew H.]

Hi there --

I sent a request to the user receiving the resumes to have the send resubmit
them in plain text format. That should, hopefully, take care of the issue. 

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Matt Kettler
Sent: Monday, June 19, 2006 1:11 PM
To: MailScanner discussion
Subject: Re: Checking Suspected E-Mails

Kaplan, Andrew H. wrote:
> Hi there -
> 
>  
> 
> One of users of our server received several e-mails indicating that a
> "Bad Filename was Detected". The e-mails in question
> 
> were resumes that were sent to him from a recruiting company. The user
> has asked if there is a way to determine if the
> 
> e-mails are truly suspect.

Odds are, they're not.

By default filename.rules.conf will flag damn near anything with what it thinks
is a double extension. Unfortunately a large number of folks use dots instead of
spaces or underscores so we get things like:

Resume.Lastname.bob.doc

and that gets flagged.

Since our company is a three-letter acronym we also get a lot of things like:
(whatever).quote.evi.doc

which also gets flagged.

And a lot of "converted" files get flagged:

sales_data.xls.doc


> 
> What would be the best way to determine this? Thanks.

Take a loot at the filename and try to figure out which filename rule it matched
out of filename.rules.conf.


For what it's worth, I use a much more liberal set of rules to replace the stock
double-extension rules out of filename.rules.conf. I've attached these for
anyone who might like to use them...

However, beware, my rules are more liberal, and you're increasing the chances of
an new unknown virus getting by your system.

Most of this should be common-sense and innocuous, but I suggest reading them
carefully and understanding what they do before merging into your config.