Don't understand this match

Dave Strydom strydom.dave at gmail.com
Thu Mar 2 15:23:41 GMT 2006


Don't get me wrong, I'm not complaining about it at all :)

On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> The default settings I provide are just what I consider to be a
> pretty good set that should be mostly okay, for most people, most of
> the time. Obviously if they aren't right for you, then just change
> them, that's why it is all configurable :-)
>
> When I first wrote the filename.rules.conf file, I put in the double
> file extension trap as an example of what could do done, beyond just
> matching simple extension names. I didn't realise how important it
> became for most sites.
>
> On 2 Mar 2006, at 13:42, Dave Strydom wrote:
>
> > I gave up on this rule in my mailscanner, because i have clients
> > sending emails that contain like whatever.xls.zip which are legit
> > files, since we do about 80 000 emails a day across 3 scanning
> > servers, it's annoying to backtrack and release legit files that get
> > caught  by this rule, so i eventually removed the rule and just put
> > some trust in the virus scanning.
> >
> > Infact i edited a whole bunch of stuff in the filename.rules.conf and
> > filetype.rules.conf because some of the defaults are just not suitable
> > in the shared hosting enviroment.
> >
> > Dave
> >
> > On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >>
> >>
> >> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
> >>
> >>> Julian Field wrote:
> >>>
> >>>>
> >>>> It santises the filenames before logging them or outputting them
> >>>> in any way.
> >>>> One way it does this is by shortening them, except for the last
> >>>> filename extension.
> >>>> So you won't always see the full original filename. This is to
> >>>> stop exploits based on the reporting of filenames (imagine if you
> >>>> made up a filename that contained MIME boundaries, newline
> >>>> characters and a complete MIME attachment). It never ever outputs
> >>>> raw data based on the input data without sanitising it in some
> >>>> form.
> >>>>
> >>>> This is a fundamental anti-attack method I use.
> >>>>
> >>> OK, I understand the reasoning behind that. The problem is then I
> >>> guess that it obscures the reason the file was blocked in the first
> >>> place. Not that I'm complaining :) Just wondering if there might be
> >>> some way to reconcile the two issues.
> >>
> >> Not that I have found.
> >>
> >>> (For now, I may just make the reject reason more explicit).
> >>
> >> That's my preferred solution.
> >> - --
> >> Julian Field
> >> www.MailScanner.info
> >> Buy the MailScanner book at www.MailScanner.info/store
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: PGP Desktop 9.0.5 (Build 5050)
> >>
> >> iQEVAwUBRAau/vw32o+k+q+hAQF39AgAqe34fCCOHUXzwmYWY8PZikr3IdXidbHT
> >> wsrN39mHvALbIh82RmVUioJdRCknsL6smJXGquhJZGPHZAVZwwdidDdCx7Xsoz2Z
> >> ltVyHGHnVG8LOqMnkG4t97oZXWgRUNtcoLRbUwz4ZlUtWojrSy0i7v+8Vmg2h566
> >> o6tcAUTn9xEaBEBru5jaQFiYg4JDjKp0qJJoiFMiKiswIk5YSgroRmeL5QMKJkuu
> >> B8iGZJ9FvSPVSHdVR6baGEflwIfEr+4WrGVwqkZoHkMnN8JFF6xxXZZc8jDgJLkl
> >> cinILIHu+AOlSmarFuy7W8QHraMnLj49NeeP+ftalwawsiTON3dDwA==
> >> =6B92
> >> -----END PGP SIGNATURE-----
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
>
> - --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.5 (Build 5050)
>
> iQEVAwUBRAb+mPw32o+k+q+hAQH1Jgf+LonselRrBN+DC1oRRKcvKvJXIsIPLxds
> BRnbjEB0LNFHRUcV7kqouiR9t9sVJbmf3EaouKFMTLX943x3xmCT4WeEOKo1M2uI
> iX2WXAFpe1wggdklvfPTDzKXCZVLz9YfVk32jBwA3rmJJ8NoMCa8C4a09QjiZD2Y
> 4i0tRDwLMpFTBAhxFjbScMmtWqHJK11vseRiggI7nBt7EO3zCqxSNhuJMiAgeYow
> CCbEsF/V395PFDuRiiAMWwNlpnOg1ByouZsAONNJKf/RJQ9wsoFDxpvh1DToF2p6
> 9nJPn9UaqXqJwUMFICpYX7ElqaRs8DKlg+XQz3IsO1oFFzF86GUFgw==
> =axqG
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


More information about the MailScanner mailing list