more on zero byte exe files

Anthony Peacock a.peacock at chime.ucl.ac.uk
Tue Jan 30 16:28:46 CET 2007 

Hi Julian,

Julian Field wrote:
> 
> 
> Glenn Steen wrote:
>> On 30/01/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>> On 30/01/07, Jeff A. Earickson <jaearick at colby.edu> wrote:
>>> > Gang,
>>> >
>>> > Since the file is zero bytes, named exe, and does not trigger
>>> > a sophos/clam virus event, I am having a lot of the following
>>> > messages outgoing:
>>> >
>>> >     From: MailScanner <postmaster at colby.edu>
>>> >     To: upwcc at wwsolutions.demon.co.uk
>>> >     Subject: Warning: E-mail viruses detected
>>> >
>>> >     Our e-mail content detector has just been triggered by a 
>>> message you sent:
>>> >       To: llivshi at colby.edu
>>> >       Subject: Wine and Roses
>>> >       Date: Tue Jan 30 09:18:57 2007
>>> >
>>> >     One or more of the attachments (Greeting Card.exe) are on
>>> >     the list of unacceptable attachments for this site and will not 
>>> have
>>> >     been delivered.
>>> >
>>> >     Consider renaming the files to avoid this constraint.
>>> >
>>> >     The virus detector said this about the message:
>>> >     Report: Report: MailScanner: Executable DOS/Windows programs 
>>> are dangerous
>>> >     in email (Greeting Card.exe)
>>> >
>>> > which will make me (and MailScanner) *real* popular in the real world.
>>> > I don't want to remove the exe check in filename.rules.conf, which is
>>> > the only quick way I can think of to shut up MailScanner.  Help....
>>> >
>>> > Jeff Earickson
>>> > Colby College
>>> Set
>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>> # who sent you messages containing other blocked content, such as
>>> # partial messages or messages with external bodies?
>>> # This can also be the filename of a ruleset.
>>> Notify Senders Of Other Blocked Content = no
>>> temporarily.
>>
>> Wrong quote, sloppy cut'n'paste... Sorry. Meant
>> # *If* "Notify Senders" is set to yes, do you want to notify people
>> # who sent you messages containing attachments that are blocked due to
>> # their filename or file contents?
>> # This can also be the filename of a ruleset.
>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>> ... and nothing else.
>> But Drews/Jasons clever trick seems more workable in the long run, so
>> ... do that instead:-).
>>
> 
> What would be your best long-term solution to this problem?
> Perhaps a "Notify Senders Of Bad Sized Attachments = yes/no"
> ?
> Or have you a better idea? It needs to be very simple to write at this 
> point in time.

Well in my case these messages do not seem to be triggering the small 
attachment rule, they are all being caught by filename rules.

-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

More information about the MailScanner mailing list