Mailscanner filename and filetype rules
traced
traced at xpear.de
Sat Dec 20 10:46:18 GMT 2008
Julian Field schrieb:
>
>
> On 19/12/08 18:43, traced wrote:
>> Hi,
>>
>> do you use the default settings shipped with mailscanner for filename-
>> and type checking? I played around with them the last few days, and
>> think that they are, hmm, lets call paranoid.
>>
>> My users are sending a lot of zipped files across the web, containing
>> word ducuments, powerpoint presentations, and sometimes complete
>> zipped folders, including some .lnk windows link files. Such mails
>> never go through the gates, heres an example:
>>
>> Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes:
>> MailScanner: Possible Eudora *.lnk security hole attack
>> (leereStammdaten.lnk.lnk)
>> MailScanner: Possible Eudora *.lnk security hole attack
>> (Verknpfungmit.lnk)
>> MailScanner: Possible Eudora *.lnk security hole attack
>> (VerknpfungmitAufbauformulare.doc.lnk)
> There is no point mailing links. People who don't understand the
> futility of mailing links still won't understand it if you let them mail
> links, as then they will get things in their email that just "don't work".
>> MailScanner: No programs allowed (MouseHook.dll)
> If you want to start letting them mail programs and random dll's around,
> that's your funeral.
>> MailScanner: Possible Eudora *.lnk security hole attack
>> (VerknpfungmitVertrag.doc.lnk)
>> MailScanner: Found possible filename hiding (170_HNR27Angeb.dot)
> That last one won't be reported as the full filename. It will have at
> least 1 more "extension". Hiding file extensions is the oldest trick in
> the book when it comes to getting people to click on malware.
>
> However, if you don't want to use the default rules, then don't. That's
> why they are in configuration files, so you can change them.
>
> These days you can probably remove the *.lnk filter, as it won't
> actually cause you much trouble. Just then all those housewives will
> call your tech support asking why the files they mail around don't work
> once they've been through your mail system. But that ain't my problem :-)
>
> I would advise you to be very cautious about removing the other filters,
> to be honest. They help keep your users safe.
>
> In tests made on brand new malware (i.e. stuff in circulation for only
> an hour or two) most AV scanners miss at least 20% of it, often a lot
> more. Don't rely on your AV scanners to catch it all, they won't.
>
> Jules
>
Hi Jules,
thank for your detailed answer. I think you are right :)
The problem is that I am the techsupport, so they call me whatever
happens... But I think it´s better to release such mails manually
when they are quarantined.
Thanks,
Bastian
More information about the MailScanner
mailing list