more on zero byte exe files -- solution?
Jeff A. Earickson
jaearick at colby.edu
Tue Jan 30 17:27:53 CET 2007
Maybe roll out another beta???
On Tue, 30 Jan 2007, Julian Field wrote:
> Date: Tue, 30 Jan 2007 16:21:33 +0000
> From: Julian Field <MailScanner at ecs.soton.ac.uk>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: more on zero byte exe files -- solution?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Julian Field wrote:
>>
>>
>> Glenn Steen wrote:
>>> On 30/01/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>>> On 30/01/07, Jeff A. Earickson <jaearick at colby.edu> wrote:
>>>>> Gang,
>>>>>
>>>>> Since the file is zero bytes, named exe, and does not trigger
>>>>> a sophos/clam virus event, I am having a lot of the following
>>>>> messages outgoing:
>>>>>
>>>>> From: MailScanner <postmaster at colby.edu>
>>>>> To: upwcc at wwsolutions.demon.co.uk
>>>>> Subject: Warning: E-mail viruses detected
>>>>>
>>>>> Our e-mail content detector has just been triggered by a
>>>> message you sent:
>>>>> To: llivshi at colby.edu
>>>>> Subject: Wine and Roses
>>>>> Date: Tue Jan 30 09:18:57 2007
>>>>>
>>>>> One or more of the attachments (Greeting Card.exe) are on
>>>>> the list of unacceptable attachments for this site and will
>>>> not have
>>>>> been delivered.
>>>>>
>>>>> Consider renaming the files to avoid this constraint.
>>>>>
>>>>> The virus detector said this about the message:
>>>>> Report: Report: MailScanner: Executable DOS/Windows programs
>>>> are dangerous
>>>>> in email (Greeting Card.exe)
>>>>>
>>>>> which will make me (and MailScanner) *real* popular in the real
>>>> world.
>>>>> I don't want to remove the exe check in filename.rules.conf, which is
>>>>> the only quick way I can think of to shut up MailScanner. Help....
>>>>>
>>>>> Jeff Earickson
>>>>> Colby College
>>>> Set
>>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>>> # who sent you messages containing other blocked content, such as
>>>> # partial messages or messages with external bodies?
>>>> # This can also be the filename of a ruleset.
>>>> Notify Senders Of Other Blocked Content = no
>>>> temporarily.
>>>
>>> Wrong quote, sloppy cut'n'paste... Sorry. Meant
>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>> # who sent you messages containing attachments that are blocked due to
>>> # their filename or file contents?
>>> # This can also be the filename of a ruleset.
>>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>>> ... and nothing else.
>>> But Drews/Jasons clever trick seems more workable in the long run, so
>>> ... do that instead:-).
>>>
>>
>> What would be your best long-term solution to this problem?
>> Perhaps a "Notify Senders Of Bad Sized Attachments = yes/no"
>> ?
>> Or have you a better idea? It needs to be very simple to write at this
>> point in time.
> Okay, here's a patch that adds a new configuration setting
>
> Notify Senders Of Blocked Size Attachments = yes or no (or
> ruleset/Custom Function)
>
> First, the patch to ConfigDefs.pl:
>
> - -=-=-SNIP-=-=-
> - --- ConfigDefs.pl 2006-10-30 20:38:34.000000000 +0000
> +++ ConfigDefs.pl.new 2007-01-30 16:16:29.000000000 +0000
> @@ -205,6 +205,7 @@
> warnsenders = notifysenders
> warnvirussenders = notifysendersofviruses
> warnnamesenders =
> notifysendersofblockedfilenamesorfiletypes
> +warnsizesenders = notifysendersofblockedsizeattachments
> warnothersenders = notifysendersofotherblockedcontent
> webbugurl = webbugreplacement
> webbugwhitelist = ignoredwebbugfilenames
> @@ -409,6 +410,7 @@
> WarnSenders 1 no 0 yes 1
> WarnVirusSenders 0 no 0 yes 1
> WarnNameSenders 1 no 0 yes 1
> +WarnSizeSenders 1 no 0 yes 1
> WarnOtherSenders 1 no 0 yes 1
>
> [First,File]
> - -=-=-SNIP-=-=-
>
> Now the patch for MessageBatch.pm:
>
> - -=-=-SNIP-=-=-
> - --- MessageBatch.pm 2006-11-29 13:43:26.000000000 +0000
> +++ MessageBatch.pm.new 2007-01-30 16:06:39.000000000 +0000
> @@ -862,8 +862,12 @@
> $warnviruses;
> $reasons++ if $message->{nameinfected} &&
> MailScanner::Config::Value('warnnamesenders', $message);
> - - $reasons++ if ($message->{otherinfected} ||
> $message->{sizeinfected}) &&
> + $reasons++ if $message->{sizeinfected} &&
> + MailScanner::Config::Value('warnsizesenders', $message);
> + $reasons++ if $message->{otherinfected} &&
> MailScanner::Config::Value('warnothersenders', $message);
> + #$reasons++ if ($message->{otherinfected} ||
> $message->{sizeinfected}) &&
> + # MailScanner::Config::Value('warnothersenders',
> $message);
> next if $reasons==0;
>
> $message->WarnSender();
> - -=-=-SNIP-=-=-
>
> If this is enough for you, please apply the patches above and restart
> MailScanner (*not* reload).
>
> Let me know how you get on.
>
> Jules
>
> - --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
> Comment: (pgp-secured)
> Charset: ISO-8859-1
>
> wj8DBQFFv3C8EfZZRxQVtlQRAhRMAKCka0Df3buuTBJivi73lkKa4nNIJQCgzsis
> KLhUFa/JayrG4m2rnACqZ9s=
> =BPr0
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
More information about the MailScanner
mailing list