Don't understand this match
Dave Strydom
strydom.dave at gmail.com
Thu Mar 2 13:42:29 GMT 2006
I gave up on this rule in my mailscanner, because i have clients
sending emails that contain like whatever.xls.zip which are legit
files, since we do about 80 000 emails a day across 3 scanning
servers, it's annoying to backtrack and release legit files that get
caught by this rule, so i eventually removed the rule and just put
some trust in the virus scanning.
Infact i edited a whole bunch of stuff in the filename.rules.conf and
filetype.rules.conf because some of the defaults are just not suitable
in the shared hosting enviroment.
Dave
On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
>
> > Julian Field wrote:
> >
> >>
> >> It santises the filenames before logging them or outputting them
> >> in any way.
> >> One way it does this is by shortening them, except for the last
> >> filename extension.
> >> So you won't always see the full original filename. This is to
> >> stop exploits based on the reporting of filenames (imagine if you
> >> made up a filename that contained MIME boundaries, newline
> >> characters and a complete MIME attachment). It never ever outputs
> >> raw data based on the input data without sanitising it in some form.
> >>
> >> This is a fundamental anti-attack method I use.
> >>
> > OK, I understand the reasoning behind that. The problem is then I
> > guess that it obscures the reason the file was blocked in the first
> > place. Not that I'm complaining :) Just wondering if there might be
> > some way to reconcile the two issues.
>
> Not that I have found.
>
> > (For now, I may just make the reject reason more explicit).
>
> That's my preferred solution.
> - --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.5 (Build 5050)
>
> iQEVAwUBRAau/vw32o+k+q+hAQF39AgAqe34fCCOHUXzwmYWY8PZikr3IdXidbHT
> wsrN39mHvALbIh82RmVUioJdRCknsL6smJXGquhJZGPHZAVZwwdidDdCx7Xsoz2Z
> ltVyHGHnVG8LOqMnkG4t97oZXWgRUNtcoLRbUwz4ZlUtWojrSy0i7v+8Vmg2h566
> o6tcAUTn9xEaBEBru5jaQFiYg4JDjKp0qJJoiFMiKiswIk5YSgroRmeL5QMKJkuu
> B8iGZJ9FvSPVSHdVR6baGEflwIfEr+4WrGVwqkZoHkMnN8JFF6xxXZZc8jDgJLkl
> cinILIHu+AOlSmarFuy7W8QHraMnLj49NeeP+ftalwawsiTON3dDwA==
> =6B92
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
More information about the MailScanner
mailing list