Don't understand this match

Alex Neuman van der Hans alex at nkpanama.com
Thu Mar 2 13:51:18 GMT 2006


You could keep the rule and set "allowed filenames", or you could add 
"allow .xls ... blabla" before the double extension matching rules.

Dave Strydom wrote:
> I gave up on this rule in my mailscanner, because i have clients
> sending emails that contain like whatever.xls.zip which are legit
> files, since we do about 80 000 emails a day across 3 scanning
> servers, it's annoying to backtrack and release legit files that get
> caught  by this rule, so i eventually removed the rule and just put
> some trust in the virus scanning.
>
> Infact i edited a whole bunch of stuff in the filename.rules.conf and
> filetype.rules.conf because some of the defaults are just not suitable
> in the shared hosting enviroment.
>
> Dave
>
> On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>>
>> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
>>
>>     
>>> Julian Field wrote:
>>>
>>>       
>>>> It santises the filenames before logging them or outputting them
>>>> in any way.
>>>> One way it does this is by shortening them, except for the last
>>>> filename extension.
>>>> So you won't always see the full original filename. This is to
>>>> stop exploits based on the reporting of filenames (imagine if you
>>>> made up a filename that contained MIME boundaries, newline
>>>> characters and a complete MIME attachment). It never ever outputs
>>>> raw data based on the input data without sanitising it in some form.
>>>>
>>>> This is a fundamental anti-attack method I use.
>>>>
>>>>         
>>> OK, I understand the reasoning behind that. The problem is then I
>>> guess that it obscures the reason the file was blocked in the first
>>> place. Not that I'm complaining :) Just wondering if there might be
>>> some way to reconcile the two issues.
>>>       
>> Not that I have found.
>>
>>     
>>> (For now, I may just make the reject reason more explicit).
>>>       
>> That's my preferred solution.
>> - --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.0.5 (Build 5050)
>>
>> iQEVAwUBRAau/vw32o+k+q+hAQF39AgAqe34fCCOHUXzwmYWY8PZikr3IdXidbHT
>> wsrN39mHvALbIh82RmVUioJdRCknsL6smJXGquhJZGPHZAVZwwdidDdCx7Xsoz2Z
>> ltVyHGHnVG8LOqMnkG4t97oZXWgRUNtcoLRbUwz4ZlUtWojrSy0i7v+8Vmg2h566
>> o6tcAUTn9xEaBEBru5jaQFiYg4JDjKp0qJJoiFMiKiswIk5YSgroRmeL5QMKJkuu
>> B8iGZJ9FvSPVSHdVR6baGEflwIfEr+4WrGVwqkZoHkMnN8JFF6xxXZZc8jDgJLkl
>> cinILIHu+AOlSmarFuy7W8QHraMnLj49NeeP+ftalwawsiTON3dDwA==
>> =6B92
>> -----END PGP SIGNATURE-----
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>     

-- 

Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/



More information about the MailScanner mailing list