Mailscanner filename and filetype rules

[Alex Neuman van der Hans]

Let's not. A carefully constructed file meeting your criteria for  
"safe" could get past all three.



On Dec 19, 2008, at 1:43 PM, traced <traced at xpear.de> wrote:

> Hi,
>
> do you use the default settings shipped with mailscanner for  
> filename- and type checking? I played around with them the last few  
> days, and think that they are, hmm, lets call paranoid.
>
> My users are sending a lot of zipped files across the web,  
> containing word ducuments, powerpoint presentations, and sometimes  
> complete zipped folders, including some .lnk windows link files.  
> Such mails never go through the gates, heres an example:
>
> Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes:
>   MailScanner: Possible Eudora *.lnk security hole attack  
> (leereStammdaten.lnk.lnk)
>   MailScanner: Possible Eudora *.lnk security hole attack (Verknpfu 
> ngmit.lnk)
>   MailScanner: Possible Eudora *.lnk security hole attack (Verknpfu 
> ngmitAufbauformulare.doc.lnk)
>   MailScanner: No programs allowed (MouseHook.dll)
>   MailScanner: Possible Eudora *.lnk security hole attack (Verknpfu 
> ngmitVertrag.doc.lnk)
>   MailScanner: Found possible filename hiding (170_HNR27Angeb.dot)
>
> How do you handle this? Should I give more trust to my virus  
> scanners? I use Clam, and Avira Antivir on my gates.
>
> Thanks a lot,
> Bastian
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!