user override of scanning?

Logan Shaw lshaw at emitinc.com
Tue May 23 19:24:01 IST 2006 

Hi everyone,

I'm having a bit of a problem with figuring out the best
way to deal with quarantined messages.

I run a mail server for a company that, it just so happens,
really does need to send and receive executables in the mail
pretty regularly.  We are often sending Windows-based software
back and forth with customers.  This means many of the file
types that MailScanner looks for are things that we sometimes
need to send or receive.  For example, .exe files, VB scripts,
and .cab files.

Presently, the way I've been dealing with this is to
comment out the rule that catches a particular file type in
filename.rules.conf whenever a user tells me it blocked a
legitimate attachment of theirs, then have them re-send it.
This works OK, but (a) it means they can't send until they
can contact me (what if I'm on vacation?), and (b) I feel
like eventually I'm going to converge on having commented out
virtually every "deny" rule in filename.rules.conf.

Some possible solutions that I've thought of:

(1)  Set up a rule not to scan any message that originates
      locally.  I've already done this, and it works, but it
      eliminates the protection we'd have if a PC here did
      get a virus.  With this exception in place, an infected
      PC here has nothing blocking it from propagate through
      our server.  And I think that means it can spread from
      one PC to another within our organization.  Plus this
      doesn't address the problem of allowing outsiders to
      send legitimate attachments in.

(2)  Create some kind of user override for scanning so that
      if a user gets a failure message back, they can use a
      secret handshake when they send it again which will tell
      MailScanner to let it through.  Maybe a magic word in
      the body or subject of the mail, or a special header.

(3)  Set up MailScanner so that password-protected zip files
      are left alone.  Then the users can override filtering
      by putting things in a password-protected zip file.
      This is a bit tedious for the users, though maybe not
      too bad.  Plus IIRC some viruses spread data around
      by using just such a loophole.

(4)  A web interface to allow users to pull things out of
      quarantine.  This requires an HTTP server on the mail
      server, which is a negative.  Plus, unless I allow HTTP
      traffic from the outside world, it doesn't solve the end of
      the problem where a customer wants to send something TO us.

So, are there any bright ideas I'm missing?  Or maybe standard
practices in this area?

   - Logan

More information about the MailScanner mailing list