more on zero byte exe files -- solution?

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 30 17:33:51 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I want to know if it is what you guys want first, before I commit it to 
the source codebase properly.

Comments please?

Jeff A. Earickson wrote:
> Maybe roll out another beta???
>
> On Tue, 30 Jan 2007, Julian Field wrote:
>
>> Date: Tue, 30 Jan 2007 16:21:33 +0000
>> From: Julian Field <MailScanner at ecs.soton.ac.uk>
>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>> Subject: Re: more on zero byte exe files -- solution?
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Julian Field wrote:
>>>
>>>
>>> Glenn Steen wrote:
>>>> On 30/01/07, Glenn Steen <glenn.steen at gmail.com> wrote:
>>>>> On 30/01/07, Jeff A. Earickson <jaearick at colby.edu> wrote:
>>>>>> Gang,
>>>>>>
>>>>>> Since the file is zero bytes, named exe, and does not trigger
>>>>>> a sophos/clam virus event, I am having a lot of the following
>>>>>> messages outgoing:
>>>>>>
>>>>>>     From: MailScanner <postmaster at colby.edu>
>>>>>>     To: upwcc at wwsolutions.demon.co.uk
>>>>>>     Subject: Warning: E-mail viruses detected
>>>>>>
>>>>>>     Our e-mail content detector has just been triggered by a
>>>>> message you sent:
>>>>>>       To: llivshi at colby.edu
>>>>>>       Subject: Wine and Roses
>>>>>>       Date: Tue Jan 30 09:18:57 2007
>>>>>>
>>>>>>     One or more of the attachments (Greeting Card.exe) are on
>>>>>>     the list of unacceptable attachments for this site and will
>>>>> not have
>>>>>>     been delivered.
>>>>>>
>>>>>>     Consider renaming the files to avoid this constraint.
>>>>>>
>>>>>>     The virus detector said this about the message:
>>>>>>     Report: Report: MailScanner: Executable DOS/Windows programs
>>>>> are dangerous
>>>>>>     in email (Greeting Card.exe)
>>>>>>
>>>>>> which will make me (and MailScanner) *real* popular in the real
>>>>> world.
>>>>>> I don't want to remove the exe check in filename.rules.conf, 
>>>>>> which is
>>>>>> the only quick way I can think of to shut up MailScanner.  Help....
>>>>>>
>>>>>> Jeff Earickson
>>>>>> Colby College
>>>>> Set
>>>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>>>> # who sent you messages containing other blocked content, such as
>>>>> # partial messages or messages with external bodies?
>>>>> # This can also be the filename of a ruleset.
>>>>> Notify Senders Of Other Blocked Content = no
>>>>> temporarily.
>>>>
>>>> Wrong quote, sloppy cut'n'paste... Sorry. Meant
>>>> # *If* "Notify Senders" is set to yes, do you want to notify people
>>>> # who sent you messages containing attachments that are blocked due to
>>>> # their filename or file contents?
>>>> # This can also be the filename of a ruleset.
>>>> Notify Senders Of Blocked Filenames Or Filetypes = yes
>>>> ... and nothing else.
>>>> But Drews/Jasons clever trick seems more workable in the long run, so
>>>> ... do that instead:-).
>>>>
>>>
>>> What would be your best long-term solution to this problem?
>>> Perhaps a "Notify Senders Of Bad Sized Attachments = yes/no"
>>> ?
>>> Or have you a better idea? It needs to be very simple to write at this
>>> point in time.
>> Okay, here's a patch that adds a new configuration setting
>>
>> Notify Senders Of Blocked Size Attachments = yes or no (or
>> ruleset/Custom Function)
>>
>> First, the patch to ConfigDefs.pl:
>>
>> - -=-=-SNIP-=-=-
>> - --- ConfigDefs.pl       2006-10-30 20:38:34.000000000 +0000
>> +++ ConfigDefs.pl.new   2007-01-30 16:16:29.000000000 +0000
>> @@ -205,6 +205,7 @@
>> warnsenders                    = notifysenders
>> warnvirussenders               = notifysendersofviruses
>> warnnamesenders                        =
>> notifysendersofblockedfilenamesorfiletypes
>> +warnsizesenders                 = notifysendersofblockedsizeattachments
>> warnothersenders               = notifysendersofotherblockedcontent
>> webbugurl                      = webbugreplacement
>> webbugwhitelist                        = ignoredwebbugfilenames
>> @@ -409,6 +410,7 @@
>> WarnSenders            1       no      0       yes     1
>> WarnVirusSenders       0       no      0       yes     1
>> WarnNameSenders                1       no      0       yes     1
>> +WarnSizeSenders                1       no      0       yes     1
>> WarnOtherSenders       1       no      0       yes     1
>>
>> [First,File]
>> - -=-=-SNIP-=-=-
>>
>> Now the patch for MessageBatch.pm:
>>
>> - -=-=-SNIP-=-=-
>> - --- MessageBatch.pm     2006-11-29 13:43:26.000000000 +0000
>> +++ MessageBatch.pm.new 2007-01-30 16:06:39.000000000 +0000
>> @@ -862,8 +862,12 @@
>>                   $warnviruses;
>>     $reasons++ if $message->{nameinfected}  &&
>>                   MailScanner::Config::Value('warnnamesenders', 
>> $message);
>> - -    $reasons++ if ($message->{otherinfected} ||
>> $message->{sizeinfected}) &&
>> +    $reasons++ if $message->{sizeinfected} &&
>> +                  MailScanner::Config::Value('warnsizesenders', 
>> $message);
>> +    $reasons++ if $message->{otherinfected} &&
>>                   MailScanner::Config::Value('warnothersenders', 
>> $message);
>> +    #$reasons++ if ($message->{otherinfected} ||
>> $message->{sizeinfected}) &&
>> +    #              MailScanner::Config::Value('warnothersenders',
>> $message);
>>     next if $reasons==0;
>>
>>     $message->WarnSender();
>> - -=-=-SNIP-=-=-
>>
>> If this is enough for you, please apply the patches above and restart
>> MailScanner (*not* reload).
>>
>> Let me know how you get on.
>>
>> Jules
>>
>> - --
>> Julian Field MEng CITP
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 9.5.3 (Build 5003)
>> Comment: (pgp-secured)
>> Charset: ISO-8859-1
>>
>> wj8DBQFFv3C8EfZZRxQVtlQRAhRMAKCka0Df3buuTBJivi73lkKa4nNIJQCgzsis
>> KLhUFa/JayrG4m2rnACqZ9s=
>> =BPr0
>> -----END PGP SIGNATURE-----
>>
>> -- 
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> For all your IT requirements visit www.transtec.co.uk
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFFv3OREfZZRxQVtlQRApkCAKC4VeyB8Jf+VuJfvAYnOBBD8XMXCgCfW/qZ
nnCJKA5T+8ZZFosTw3ocJoU=
=+coK
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk



More information about the MailScanner mailing list