more on zero byte exe files -- solution?

Jeff A. Earickson jaearick at colby.edu
Tue Jan 30 17:27:53 CET 2007


Maybe roll out another beta???

On Tue, 30 Jan 2007, Julian Field wrote:

> Date: Tue, 30 Jan 2007 16:21:33 +0000
> From: Julian Field <MailScanner at ecs.soton.ac.uk>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: more on zero byte exe files -- solution?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Julian Field wrote:
>>
>>
>> Glenn Steen wrote:
>>> On 30/01/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>>> On 30/01/07, Jeff A. Earickson <jaearick at colby.edu> wrote:
>>>>> Gang,
>>>>>
>>>>> Since the file is zero bytes, named exe, and does not trigger
>>>>> a sophos/clam virus event, I am having a lot of the following
>>>>> messages outgoing:
>>>>>
>>>>>     From: MailScanner <postmaster at colby.edu>
>>>>>     To: upwcc at wwsolutions.demon.co.uk
>>>>>     Subject: Warning: E-mail viruses detected
>>>>>
>>>>>     Our e-mail content detector has just been triggered by a
>>>> message you sent:
>>>>>       To: llivshi at colby.edu
>>>>>       Subject: Wine and Roses
>>>>>       Date: Tue Jan 30 09:18:57 2007
>>>>>
>>>>>     One or more of the attachments (Greeting Card.exe) are on
>>>>>     the list of unacceptable attachments for this site and will
>>>> not have
>>>>>     been delivered.
>>>>>
>>>>>     Consider renaming the files to avoid this constraint.
>>>>>
>>>>>     The virus detector said this about the message:
>>>>>     Report: Report: MailScanner: Executable DOS/Windows programs
>>>> are dangerous
>>>>>     in email (Greeting Card.exe)
>>>>>
>>>>> which will make me (and MailScanner) *real* popular in the real
>>>> world.
>>>>> I don't want to remove the exe check in filename.rules.conf, which is
>>>>> the only quick way I can think of to shut up MailScanner.  Help....
>>>>>
>>>>> Jeff Earickson
>>>>> Colby College
>>>> Set
>>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>>> # who sent you messages containing other blocked content, such as
>>>> # partial messages or messages with external bodies?
>>>> # This can also be the filename of a ruleset.
>>>> Notify Senders Of Other Blocked Content = no
>>>> temporarily.
>>>
>>> Wrong quote, sloppy cut'n'paste... Sorry. Meant
>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>> # who sent you messages containing attachments that are blocked due to
>>> # their filename or file contents?
>>> # This can also be the filename of a ruleset.
>>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>>> ... and nothing else.
>>> But Drews/Jasons clever trick seems more workable in the long run, so
>>> ... do that instead:-).
>>>
>>
>> What would be your best long-term solution to this problem?
>> Perhaps a "Notify Senders Of Bad Sized Attachments = yes/no"
>> ?
>> Or have you a better idea? It needs to be very simple to write at this
>> point in time.
> Okay, here's a patch that adds a new configuration setting
>
> Notify Senders Of Blocked Size Attachments = yes or no (or
> ruleset/Custom Function)
>
> First, the patch to ConfigDefs.pl:
>
> - -=-=-SNIP-=-=-
> - --- ConfigDefs.pl       2006-10-30 20:38:34.000000000 +0000
> +++ ConfigDefs.pl.new   2007-01-30 16:16:29.000000000 +0000
> @@ -205,6 +205,7 @@
> warnsenders                    = notifysenders
> warnvirussenders               = notifysendersofviruses
> warnnamesenders                        =
> notifysendersofblockedfilenamesorfiletypes
> +warnsizesenders                 = notifysendersofblockedsizeattachments
> warnothersenders               = notifysendersofotherblockedcontent
> webbugurl                      = webbugreplacement
> webbugwhitelist                        = ignoredwebbugfilenames
> @@ -409,6 +410,7 @@
> WarnSenders            1       no      0       yes     1
> WarnVirusSenders       0       no      0       yes     1
> WarnNameSenders                1       no      0       yes     1
> +WarnSizeSenders                1       no      0       yes     1
> WarnOtherSenders       1       no      0       yes     1
>
> [First,File]
> - -=-=-SNIP-=-=-
>
> Now the patch for MessageBatch.pm:
>
> - -=-=-SNIP-=-=-
> - --- MessageBatch.pm     2006-11-29 13:43:26.000000000 +0000
> +++ MessageBatch.pm.new 2007-01-30 16:06:39.000000000 +0000
> @@ -862,8 +862,12 @@
>                   $warnviruses;
>     $reasons++ if $message->{nameinfected}  &&
>                   MailScanner::Config::Value('warnnamesenders', $message);
> - -    $reasons++ if ($message->{otherinfected} ||
> $message->{sizeinfected}) &&
> +    $reasons++ if $message->{sizeinfected} &&
> +                  MailScanner::Config::Value('warnsizesenders', $message);
> +    $reasons++ if $message->{otherinfected} &&
>                   MailScanner::Config::Value('warnothersenders', $message);
> +    #$reasons++ if ($message->{otherinfected} ||
> $message->{sizeinfected}) &&
> +    #              MailScanner::Config::Value('warnothersenders',
> $message);
>     next if $reasons==0;
>
>     $message->WarnSender();
> - -=-=-SNIP-=-=-
>
> If this is enough for you, please apply the patches above and restart
> MailScanner (*not* reload).
>
> Let me know how you get on.
>
> Jules
>
> - --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
> Comment: (pgp-secured)
> Charset: ISO-8859-1
>
> wj8DBQFFv3C8EfZZRxQVtlQRAhRMAKCka0Df3buuTBJivi73lkKa4nNIJQCgzsis
> KLhUFa/JayrG4m2rnACqZ9s=
> =BPr0
> -----END PGP SIGNATURE-----
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


More information about the MailScanner mailing list