Mailscanner filename and filetype rules

Julian Field MailScanner at ecs.soton.ac.uk
Sat Dec 20 09:49:20 GMT 2008 


On 19/12/08 18:43, traced wrote:
> Hi,
>
> do you use the default settings shipped with mailscanner for filename- 
> and type checking? I played around with them the last few days, and 
> think that they are, hmm, lets call paranoid.
>
> My users are sending a lot of zipped files across the web, containing 
> word ducuments, powerpoint presentations, and sometimes complete 
> zipped folders, including some .lnk windows link files. Such mails 
> never go through the gates, heres an example:
>
> Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes:
>    MailScanner: Possible Eudora *.lnk security hole attack 
> (leereStammdaten.lnk.lnk)
>    MailScanner: Possible Eudora *.lnk security hole attack 
> (Verknpfungmit.lnk)
>    MailScanner: Possible Eudora *.lnk security hole attack 
> (VerknpfungmitAufbauformulare.doc.lnk)
There is no point mailing links. People who don't understand the 
futility of mailing links still won't understand it if you let them mail 
links, as then they will get things in their email that just "don't work".
>    MailScanner: No programs allowed (MouseHook.dll)
If you want to start letting them mail programs and random dll's around, 
that's your funeral.
>    MailScanner: Possible Eudora *.lnk security hole attack 
> (VerknpfungmitVertrag.doc.lnk)
>    MailScanner: Found possible filename hiding (170_HNR27Angeb.dot)
That last one won't be reported as the full filename. It will have at 
least 1 more "extension". Hiding file extensions is the oldest trick in 
the book when it comes to getting people to click on malware.

However, if you don't want to use the default rules, then don't. That's 
why they are in configuration files, so you can change them.

These days you can probably remove the *.lnk filter, as it won't 
actually cause you much trouble. Just then all those housewives will 
call your tech support asking why the files they mail around don't work 
once they've been through your mail system. But that ain't my problem :-)

I would advise you to be very cautious about removing the other filters, 
to be honest. They help keep your users safe.

In tests made on brand new malware (i.e. stuff in circulation for only 
an hour or two) most AV scanners miss at least 20% of it, often a lot 
more. Don't rely on your AV scanners to catch it all, they won't.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list