Don't understand this match

Julian Field MailScanner at ecs.soton.ac.uk
Thu Mar 2 14:17:57 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----

The default settings I provide are just what I consider to be a  
pretty good set that should be mostly okay, for most people, most of  
the time. Obviously if they aren't right for you, then just change  
them, that's why it is all configurable :-)

When I first wrote the filename.rules.conf file, I put in the double  
file extension trap as an example of what could do done, beyond just  
matching simple extension names. I didn't realise how important it  
became for most sites.

On 2 Mar 2006, at 13:42, Dave Strydom wrote:

> I gave up on this rule in my mailscanner, because i have clients
> sending emails that contain like whatever.xls.zip which are legit
> files, since we do about 80 000 emails a day across 3 scanning
> servers, it's annoying to backtrack and release legit files that get
> caught  by this rule, so i eventually removed the rule and just put
> some trust in the virus scanning.
>
> Infact i edited a whole bunch of stuff in the filename.rules.conf and
> filetype.rules.conf because some of the defaults are just not suitable
> in the shared hosting enviroment.
>
> Dave
>
> On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>>
>> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
>>
>>> Julian Field wrote:
>>>
>>>>
>>>> It santises the filenames before logging them or outputting them
>>>> in any way.
>>>> One way it does this is by shortening them, except for the last
>>>> filename extension.
>>>> So you won't always see the full original filename. This is to
>>>> stop exploits based on the reporting of filenames (imagine if you
>>>> made up a filename that contained MIME boundaries, newline
>>>> characters and a complete MIME attachment). It never ever outputs
>>>> raw data based on the input data without sanitising it in some  
>>>> form.
>>>>
>>>> This is a fundamental anti-attack method I use.
>>>>
>>> OK, I understand the reasoning behind that. The problem is then I
>>> guess that it obscures the reason the file was blocked in the first
>>> place. Not that I'm complaining :) Just wondering if there might be
>>> some way to reconcile the two issues.
>>
>> Not that I have found.
>>
>>> (For now, I may just make the reject reason more explicit).
>>
>> That's my preferred solution.
>> - --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.0.5 (Build 5050)
>>
>> iQEVAwUBRAau/vw32o+k+q+hAQF39AgAqe34fCCOHUXzwmYWY8PZikr3IdXidbHT
>> wsrN39mHvALbIh82RmVUioJdRCknsL6smJXGquhJZGPHZAVZwwdidDdCx7Xsoz2Z
>> ltVyHGHnVG8LOqMnkG4t97oZXWgRUNtcoLRbUwz4ZlUtWojrSy0i7v+8Vmg2h566
>> o6tcAUTn9xEaBEBru5jaQFiYg4JDjKp0qJJoiFMiKiswIk5YSgroRmeL5QMKJkuu
>> B8iGZJ9FvSPVSHdVR6baGEflwIfEr+4WrGVwqkZoHkMnN8JFF6xxXZZc8jDgJLkl
>> cinILIHu+AOlSmarFuy7W8QHraMnLj49NeeP+ftalwawsiTON3dDwA==
>> =6B92
>> -----END PGP SIGNATURE-----
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)

iQEVAwUBRAb+mPw32o+k+q+hAQH1Jgf+LonselRrBN+DC1oRRKcvKvJXIsIPLxds
BRnbjEB0LNFHRUcV7kqouiR9t9sVJbmf3EaouKFMTLX943x3xmCT4WeEOKo1M2uI
iX2WXAFpe1wggdklvfPTDzKXCZVLz9YfVk32jBwA3rmJJ8NoMCa8C4a09QjiZD2Y
4i0tRDwLMpFTBAhxFjbScMmtWqHJK11vseRiggI7nBt7EO3zCqxSNhuJMiAgeYow
CCbEsF/V395PFDuRiiAMWwNlpnOg1ByouZsAONNJKf/RJQ9wsoFDxpvh1DToF2p6
9nJPn9UaqXqJwUMFICpYX7ElqaRs8DKlg+XQz3IsO1oFFzF86GUFgw==
=axqG
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list