Mailscanner filename and filetype rules

traced traced at xpear.de
Fri Dec 19 18:43:37 GMT 2008


Hi,

do you use the default settings shipped with mailscanner for filename- 
and type checking? I played around with them the last few days, and 
think that they are, hmm, lets call paranoid.

My users are sending a lot of zipped files across the web, containing 
word ducuments, powerpoint presentations, and sometimes complete zipped 
folders, including some .lnk windows link files. Such mails never go 
through the gates, heres an example:

Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes:
    MailScanner: Possible Eudora *.lnk security hole attack 
(leereStammdaten.lnk.lnk)
    MailScanner: Possible Eudora *.lnk security hole attack 
(Verknpfungmit.lnk)
    MailScanner: Possible Eudora *.lnk security hole attack 
(VerknpfungmitAufbauformulare.doc.lnk)
    MailScanner: No programs allowed (MouseHook.dll)
    MailScanner: Possible Eudora *.lnk security hole attack 
(VerknpfungmitVertrag.doc.lnk)
    MailScanner: Found possible filename hiding (170_HNR27Angeb.dot)

How do you handle this? Should I give more trust to my virus scanners? I 
use Clam, and Avira Antivir on my gates.

Thanks a lot,
Bastian


More information about the MailScanner mailing list