more on zero byte exe files
Jeff A. Earickson
jaearick at colby.edu
Tue Jan 30 16:31:27 CET 2007
On Tue, 30 Jan 2007, Julian Field wrote:
> Date: Tue, 30 Jan 2007 15:21:20 +0000
> From: Julian Field <MailScanner at ecs.soton.ac.uk>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: more on zero byte exe files
>
>
>
> Glenn Steen wrote:
>> On 30/01/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>> On 30/01/07, Jeff A. Earickson <jaearick at colby.edu> wrote:
>>> > Gang,
>>> >
>>> > Since the file is zero bytes, named exe, and does not trigger
>>> > a sophos/clam virus event, I am having a lot of the following
>>> > messages outgoing:
>>> >
>>> > From: MailScanner <postmaster at colby.edu>
>>> > To: upwcc at wwsolutions.demon.co.uk
>>> > Subject: Warning: E-mail viruses detected
>>> >
>>> > Our e-mail content detector has just been triggered by a message you
>>> sent:
>>> > To: llivshi at colby.edu
>>> > Subject: Wine and Roses
>>> > Date: Tue Jan 30 09:18:57 2007
>>> >
>>> > One or more of the attachments (Greeting Card.exe) are on
>>> > the list of unacceptable attachments for this site and will not have
>>> > been delivered.
>>> >
>>> > Consider renaming the files to avoid this constraint.
>>> >
>>> > The virus detector said this about the message:
>>> > Report: Report: MailScanner: Executable DOS/Windows programs are
>>> dangerous
>>> > in email (Greeting Card.exe)
>>> >
>>> > which will make me (and MailScanner) *real* popular in the real world.
>>> > I don't want to remove the exe check in filename.rules.conf, which is
>>> > the only quick way I can think of to shut up MailScanner. Help....
>>> >
>>> > Jeff Earickson
>>> > Colby College
>>> Set
>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>> # who sent you messages containing other blocked content, such as
>>> # partial messages or messages with external bodies?
>>> # This can also be the filename of a ruleset.
>>> Notify Senders Of Other Blocked Content = no
>>> temporarily.
>>
>> Wrong quote, sloppy cut'n'paste... Sorry. Meant
>> # *If* "Notify Senders" is set to yes, do you want to notify people
>> # who sent you messages containing attachments that are blocked due to
>> # their filename or file contents?
>> # This can also be the filename of a ruleset.
>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>> ... and nothing else.
>> But Drews/Jasons clever trick seems more workable in the long run, so
>> ... do that instead:-).
>>
>
> What would be your best long-term solution to this problem?
> Perhaps a "Notify Senders Of Bad Sized Attachments = yes/no"
> ?
> Or have you a better idea? It needs to be very simple to write at this point
> in time.
The too-small trick seemed the most elegant (but I couldn't get it to work).
I'm still fiddling with my ruleset for filenames/filetypes. I find it
ironic that a zero-byte "virus" is kicking my ass right now. Sheesh.
Jeff Earickson
Colby College
More information about the MailScanner
mailing list