zero byte exe files filling quarantine, help!!

Jeff A. Earickson jaearick at colby.edu
Tue Jan 30 16:14:32 CET 2007 

On Tue, 30 Jan 2007, Drew Marshall wrote:

> Date: Tue, 30 Jan 2007 14:47:12 -0000 (UTC)
> From: Drew Marshall <drew at technologytiger.net>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: zero byte exe files filling quarantine, help!!
> 
> On Tue, January 30, 2007 14:28, Jeff A. Earickson wrote:
>> Gang,
>>
>> I'm running beta version 4.58.7, and I've noticed this morning that a
> ton of stuff is getting dumped into my MailScanner quarantine
>> directory.  Everything that ends up there is a zero-byte exe
>> file like "postcard.exe" or "Greeting Card.exe" (virus?), that
>> generates a quarantine message back to the sender.  These quarantine
> message will make MailScanner look **bad**.  Version 4.57.7 does this
> too.  Running sophos 4.14 and the latest clam.
>>
>> The only quick fix I could think of was to change "Quarantine
> Infections"
>> from yes to no.  Anybody else seeing this issue??
>
> I found this issue a while a go and Jason Desai was able to provide a fix:
>
> ---- Quote ----
> Sorry for the late reply - still catching up on the list.  I just dealt
> with this recently.  Here's what I did.  I modified languages.conf,
> changing AttachmentTooSmall to be "Attachment is too small (too-small)".
> For completeness, I changed AttachmentTooLarge in the same way.  Then I
> modified MailScanner.conf, and added "too-small" to the list of Silent
> Viruses.  This seems to prevent notifications.  You don't have to use
> "too-small", you could use some other string which has no spaces in
> AttachmentTooSmall and Silent Viruses.
>
> ----Quote Ends -----
>
> The small files then get treated like viruses rather than invalid file
> types so you can then play games with silent viruses and quarantine rule
> sets etc.

Tried this, didn't work, don't know why...  Gleen Steen's mention of
"Notify Senders Of Blocked Filenames Or Filetypes" looks like a good
hack.  I wrote a ruleset to notify internal users, but not external
ones.  Testing this now...

Jeff Earickson
Colby College

More information about the MailScanner mailing list