Don't understand this match
strydom.dave at gmail.com
Thu Mar 2 13:42:29 GMT 2006
I gave up on this rule in my mailscanner, because i have clients
sending emails that contain like whatever.xls.zip which are legit
files, since we do about 80 000 emails a day across 3 scanning
servers, it's annoying to backtrack and release legit files that get
caught by this rule, so i eventually removed the rule and just put
some trust in the virus scanning.
Infact i edited a whole bunch of stuff in the filename.rules.conf and
filetype.rules.conf because some of the defaults are just not suitable
in the shared hosting enviroment.
On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
> > Julian Field wrote:
> >> It santises the filenames before logging them or outputting them
> >> in any way.
> >> One way it does this is by shortening them, except for the last
> >> filename extension.
> >> So you won't always see the full original filename. This is to
> >> stop exploits based on the reporting of filenames (imagine if you
> >> made up a filename that contained MIME boundaries, newline
> >> characters and a complete MIME attachment). It never ever outputs
> >> raw data based on the input data without sanitising it in some form.
> >> This is a fundamental anti-attack method I use.
> > OK, I understand the reasoning behind that. The problem is then I
> > guess that it obscures the reason the file was blocked in the first
> > place. Not that I'm complaining :) Just wondering if there might be
> > some way to reconcile the two issues.
> Not that I have found.
> > (For now, I may just make the reject reason more explicit).
> That's my preferred solution.
> - --
> Julian Field
> Buy the MailScanner book at www.MailScanner.info/store
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.5 (Build 5050)
> -----END PGP SIGNATURE-----
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!
More information about the MailScanner