more on zero byte exe files

Jeff A. Earickson jaearick at colby.edu
Tue Jan 30 16:31:27 CET 2007 

On Tue, 30 Jan 2007, Julian Field wrote:

> Date: Tue, 30 Jan 2007 15:21:20 +0000
> From: Julian Field <MailScanner at ecs.soton.ac.uk>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: more on zero byte exe files
> 
>
>
> Glenn Steen wrote:
>> On 30/01/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>> On 30/01/07, Jeff A. Earickson <jaearick at colby.edu> wrote:
>>> > Gang,
>>> >
>>> > Since the file is zero bytes, named exe, and does not trigger
>>> > a sophos/clam virus event, I am having a lot of the following
>>> > messages outgoing:
>>> >
>>> >     From: MailScanner <postmaster at colby.edu>
>>> >     To: upwcc at wwsolutions.demon.co.uk
>>> >     Subject: Warning: E-mail viruses detected
>>> >
>>> >     Our e-mail content detector has just been triggered by a message you 
>>> sent:
>>> >       To: llivshi at colby.edu
>>> >       Subject: Wine and Roses
>>> >       Date: Tue Jan 30 09:18:57 2007
>>> >
>>> >     One or more of the attachments (Greeting Card.exe) are on
>>> >     the list of unacceptable attachments for this site and will not have
>>> >     been delivered.
>>> >
>>> >     Consider renaming the files to avoid this constraint.
>>> >
>>> >     The virus detector said this about the message:
>>> >     Report: Report: MailScanner: Executable DOS/Windows programs are 
>>> dangerous
>>> >     in email (Greeting Card.exe)
>>> >
>>> > which will make me (and MailScanner) *real* popular in the real world.
>>> > I don't want to remove the exe check in filename.rules.conf, which is
>>> > the only quick way I can think of to shut up MailScanner.  Help....
>>> >
>>> > Jeff Earickson
>>> > Colby College
>>> Set
>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>> # who sent you messages containing other blocked content, such as
>>> # partial messages or messages with external bodies?
>>> # This can also be the filename of a ruleset.
>>> Notify Senders Of Other Blocked Content = no
>>> temporarily.
>> 
>> Wrong quote, sloppy cut'n'paste... Sorry. Meant
>> # *If* "Notify Senders" is set to yes, do you want to notify people
>> # who sent you messages containing attachments that are blocked due to
>> # their filename or file contents?
>> # This can also be the filename of a ruleset.
>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>> ... and nothing else.
>> But Drews/Jasons clever trick seems more workable in the long run, so
>> ... do that instead:-).
>> 
>
> What would be your best long-term solution to this problem?
> Perhaps a "Notify Senders Of Bad Sized Attachments = yes/no"
> ?
> Or have you a better idea? It needs to be very simple to write at this point 
> in time.

The too-small trick seemed the most elegant (but I couldn't get it to work).
I'm still fiddling with my ruleset for filenames/filetypes.  I find it
ironic that a zero-byte "virus" is kicking my ass right now.  Sheesh.

Jeff Earickson
Colby College

More information about the MailScanner mailing list