Blocking of WMF

Jethro R Binks jethro.binks at strath.ac.uk
Mon Mar 23 23:06:16 GMT 2009 

On Tue, 17 Mar 2009, Jethro R Binks wrote:

> but we very often see "image1.wmf", "image2.wmf", etc discovered too.
> 
> Very often, the sending user is completely oblivious to the presence of 
> images in the document (zip file), nor what to do to remove them or save 
> them as something else, and at least in the case of the "thumbnail.wmf" 
> content, this is something that the application itself has generated 
> without the user knowing about it.
...

Neither this, nor the other thread where I mentioned:

> I have often thought that it would useful for MailScanner to have some 
> context when applying the filename rules, to give some flexibility.  So 
> for example it might permit all or certain .wmf if it knows it has found 
> them while digging around in an Office 2007 zip doc.  Perhaps another 
> field in filename.rules.conf that is a list of context matches 
> ('zip,msofficezip'), with a default of "all contexts".

solicited much response.

I would like to add something else to the mix: when an objectional file in 
an archive is found, that as well as listing the objectional file and the 
reason, that the name of the archive is also available.

I currently have a case in hand where someone has sent several Word and 
Powerpoint documents in one message, and received a rejection from us 
complaining about:

> Report: Possible format attack in Windows (image3.wmf)
> Report: Possible format attack in Windows (image4.wmf)
> Report: Possible format attack in Windows (image5.wmf)
> Report: Possible format attack in Windows (image9.wmf)
> Report: Possible format attack in Windows (image2.wmf)
> Report: Possible format attack in Windows (image1.wmf)

but there appears to be no way to know which of the several attachments 
caused the problem, other than to have him send them all individually.

And if someone can point me at a resource that explains the prevelance of 
"image1.wmf", "image2.wmf", etc, in MS Office documents, I'd be grateful.  
(This particular sender insists that his Word documents contained 
absolutely no images, although there's a Powerpoint document in the mix 
too).

Jethro.


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

More information about the MailScanner mailing list