Mailscanner filename and filetype rules

traced traced at xpear.de
Sat Dec 20 10:46:18 GMT 2008 

Julian Field schrieb:
> 
> 
> On 19/12/08 18:43, traced wrote:
>> Hi,
>>
>> do you use the default settings shipped with mailscanner for filename- 
>> and type checking? I played around with them the last few days, and 
>> think that they are, hmm, lets call paranoid.
>>
>> My users are sending a lot of zipped files across the web, containing 
>> word ducuments, powerpoint presentations, and sometimes complete 
>> zipped folders, including some .lnk windows link files. Such mails 
>> never go through the gates, heres an example:
>>
>> Am Fri Dec 19 18:06:01 2008 meldete der Virenscanner folgendes:
>>    MailScanner: Possible Eudora *.lnk security hole attack 
>> (leereStammdaten.lnk.lnk)
>>    MailScanner: Possible Eudora *.lnk security hole attack 
>> (Verknpfungmit.lnk)
>>    MailScanner: Possible Eudora *.lnk security hole attack 
>> (VerknpfungmitAufbauformulare.doc.lnk)
> There is no point mailing links. People who don't understand the 
> futility of mailing links still won't understand it if you let them mail 
> links, as then they will get things in their email that just "don't work".
>>    MailScanner: No programs allowed (MouseHook.dll)
> If you want to start letting them mail programs and random dll's around, 
> that's your funeral.
>>    MailScanner: Possible Eudora *.lnk security hole attack 
>> (VerknpfungmitVertrag.doc.lnk)
>>    MailScanner: Found possible filename hiding (170_HNR27Angeb.dot)
> That last one won't be reported as the full filename. It will have at 
> least 1 more "extension". Hiding file extensions is the oldest trick in 
> the book when it comes to getting people to click on malware.
> 
> However, if you don't want to use the default rules, then don't. That's 
> why they are in configuration files, so you can change them.
> 
> These days you can probably remove the *.lnk filter, as it won't 
> actually cause you much trouble. Just then all those housewives will 
> call your tech support asking why the files they mail around don't work 
> once they've been through your mail system. But that ain't my problem :-)
> 
> I would advise you to be very cautious about removing the other filters, 
> to be honest. They help keep your users safe.
> 
> In tests made on brand new malware (i.e. stuff in circulation for only 
> an hour or two) most AV scanners miss at least 20% of it, often a lot 
> more. Don't rely on your AV scanners to catch it all, they won't.
> 
> Jules
> 

Hi Jules,
thank for your detailed answer. I think you are right :)
The problem is that I am the techsupport, so they call me whatever 
happens... But I think it´s better to release such mails manually
when they are quarantined.

Thanks,
Bastian

More information about the MailScanner mailing list