Don't understand this match

Alex Neuman van der Hans alex at nkpanama.com
Thu Mar 2 16:00:10 GMT 2006


Me neither! ;) Specially since everything's SO configurable!

Dave Strydom wrote:
> Don't get me wrong, I'm not complaining about it at all :)
>
> On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> The default settings I provide are just what I consider to be a
>> pretty good set that should be mostly okay, for most people, most of
>> the time. Obviously if they aren't right for you, then just change
>> them, that's why it is all configurable :-)
>>
>> When I first wrote the filename.rules.conf file, I put in the double
>> file extension trap as an example of what could do done, beyond just
>> matching simple extension names. I didn't realise how important it
>> became for most sites.
>>
>> On 2 Mar 2006, at 13:42, Dave Strydom wrote:
>>
>>     
>>> I gave up on this rule in my mailscanner, because i have clients
>>> sending emails that contain like whatever.xls.zip which are legit
>>> files, since we do about 80 000 emails a day across 3 scanning
>>> servers, it's annoying to backtrack and release legit files that get
>>> caught  by this rule, so i eventually removed the rule and just put
>>> some trust in the virus scanning.
>>>
>>> Infact i edited a whole bunch of stuff in the filename.rules.conf and
>>> filetype.rules.conf because some of the defaults are just not suitable
>>> in the shared hosting enviroment.
>>>
>>> Dave
>>>
>>> On 3/2/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>>>       
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>
>>>>
>>>> On 1 Mar 2006, at 22:33, Richard Thomas wrote:
>>>>
>>>>         
>>>>> Julian Field wrote:
>>>>>
>>>>>           
>>>>>> It santises the filenames before logging them or outputting them
>>>>>> in any way.
>>>>>> One way it does this is by shortening them, except for the last
>>>>>> filename extension.
>>>>>> So you won't always see the full original filename. This is to
>>>>>> stop exploits based on the reporting of filenames (imagine if you
>>>>>> made up a filename that contained MIME boundaries, newline
>>>>>> characters and a complete MIME attachment). It never ever outputs
>>>>>> raw data based on the input data without sanitising it in some
>>>>>> form.
>>>>>>
>>>>>> This is a fundamental anti-attack method I use.
>>>>>>
>>>>>>             
>>>>> OK, I understand the reasoning behind that. The problem is then I
>>>>> guess that it obscures the reason the file was blocked in the first
>>>>> place. Not that I'm complaining :) Just wondering if there might be
>>>>> some way to reconcile the two issues.
>>>>>           
>>>> Not that I have found.
>>>>
>>>>         
>>>>> (For now, I may just make the reject reason more explicit).
>>>>>           
>>>> That's my preferred solution.
>>>> - --
>>>> Julian Field
>>>> www.MailScanner.info
>>>> Buy the MailScanner book at www.MailScanner.info/store
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: PGP Desktop 9.0.5 (Build 5050)
>>>>
>>>> iQEVAwUBRAau/vw32o+k+q+hAQF39AgAqe34fCCOHUXzwmYWY8PZikr3IdXidbHT
>>>> wsrN39mHvALbIh82RmVUioJdRCknsL6smJXGquhJZGPHZAVZwwdidDdCx7Xsoz2Z
>>>> ltVyHGHnVG8LOqMnkG4t97oZXWgRUNtcoLRbUwz4ZlUtWojrSy0i7v+8Vmg2h566
>>>> o6tcAUTn9xEaBEBru5jaQFiYg4JDjKp0qJJoiFMiKiswIk5YSgroRmeL5QMKJkuu
>>>> B8iGZJ9FvSPVSHdVR6baGEflwIfEr+4WrGVwqkZoHkMnN8JFF6xxXZZc8jDgJLkl
>>>> cinILIHu+AOlSmarFuy7W8QHraMnLj49NeeP+ftalwawsiTON3dDwA==
>>>> =6B92
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>         
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>       
>> - --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.0.5 (Build 5050)
>>
>> iQEVAwUBRAb+mPw32o+k+q+hAQH1Jgf+LonselRrBN+DC1oRRKcvKvJXIsIPLxds
>> BRnbjEB0LNFHRUcV7kqouiR9t9sVJbmf3EaouKFMTLX943x3xmCT4WeEOKo1M2uI
>> iX2WXAFpe1wggdklvfPTDzKXCZVLz9YfVk32jBwA3rmJJ8NoMCa8C4a09QjiZD2Y
>> 4i0tRDwLMpFTBAhxFjbScMmtWqHJK11vseRiggI7nBt7EO3zCqxSNhuJMiAgeYow
>> CCbEsF/V395PFDuRiiAMWwNlpnOg1ByouZsAONNJKf/RJQ9wsoFDxpvh1DToF2p6
>> 9nJPn9UaqXqJwUMFICpYX7ElqaRs8DKlg+XQz3IsO1oFFzF86GUFgw==
>> =axqG
>> -----END PGP SIGNATURE-----
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>     

-- 

Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/



More information about the MailScanner mailing list