Don't understand this match
Alex Neuman van der Hans
alex at nkpanama.com
Thu Mar 2 13:51:18 GMT 2006
You could keep the rule and set "allowed filenames", or you could add
"allow .xls ... blabla" before the double extension matching rules.
Dave Strydom wrote:
> I gave up on this rule in my mailscanner, because i have clients
> sending emails that contain like whatever.xls.zip which are legit
> files, since we do about 80 000 emails a day across 3 scanning
> servers, it's annoying to backtrack and release legit files that get
> caught by this rule, so i eventually removed the rule and just put
> some trust in the virus scanning.
> Infact i edited a whole bunch of stuff in the filename.rules.conf and
> filetype.rules.conf because some of the defaults are just not suitable
> in the shared hosting enviroment.
> On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
>>> Julian Field wrote:
>>>> It santises the filenames before logging them or outputting them
>>>> in any way.
>>>> One way it does this is by shortening them, except for the last
>>>> filename extension.
>>>> So you won't always see the full original filename. This is to
>>>> stop exploits based on the reporting of filenames (imagine if you
>>>> made up a filename that contained MIME boundaries, newline
>>>> characters and a complete MIME attachment). It never ever outputs
>>>> raw data based on the input data without sanitising it in some form.
>>>> This is a fundamental anti-attack method I use.
>>> OK, I understand the reasoning behind that. The problem is then I
>>> guess that it obscures the reason the file was blocked in the first
>>> place. Not that I'm complaining :) Just wondering if there might be
>>> some way to reconcile the two issues.
>> Not that I have found.
>>> (For now, I may just make the reject reason more explicit).
>> That's my preferred solution.
>> - --
>> Julian Field
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.0.5 (Build 5050)
>> -----END PGP SIGNATURE-----
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> Before posting, read http://wiki.mailscanner.info/posting
>> Support MailScanner development - buy the book off the website!
Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/
More information about the MailScanner