MS Doesn't completely block spam with faulty attachments

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Thu Sep 1 17:40:10 IST 2011 

Easiest thing to do in that case is to comment out the line in filename.rules.conf that disallows double extensions.  The message will be accepted as normal and go through the additional tests (is it an executable, is it a virus, is it spam, etc.)


...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500



________________________________
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Joolee
Sent: Thursday, September 01, 2011 7:32 AM
To: MailScanner discussion
Subject: Re: MS Doesn't completely block spam with faulty attachments

I agree that it isn't a good idea to notify the sender of a spam or virus message I'm not planning to do that, I know the troubles of backscatter.

What I've configured is that if a user sends a completely normal (non-virus, non-spam) E-mail but with, for instance, a file named "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The server sends out a warning to sender and the original message stripped of it's attachment to the recipient of the message. Notifying the sender is not strictly necessary but if this is only done for such non-virus, non-spam message, it isn't a problem either.

The situation that bugs me is when some spam message with a file named "CurriculumVitae.doc.pdf" is received. The message hits the filename rule and isn't processed any further to check if its a spam message. Because it isn't processed any further, the warning messages are send out to both sender and original recipient.

As I stated before, I can disable the sender notification. What I can't do is tell my customers (the recipients) that such wrongly named files, most containing important documents, are silently discarded. Sending spam to my customers that could have been recognized isn't an option either.

The simplest solution, I think, would be to continue processing the message after a file name rule is hit, decide if the E-mail is HAM and in that case, send out the notifications. If the E-mail is spam, silently discard it.
It would add a bit of load to the server but stopping spam is what it's all about, isn't it? :P

On 1 September 2011 16:34, Julian Field <MailScanner at ecs.soton.ac.uk<mailto:MailScanner at ecs.soton.ac.uk>> wrote:
He's probably switched on some "Notify Senders" options. Bad idea :-(


On 01/09/2011 12:32, Martin Hepworth wrote:
what version of MS?

I never inform the sender of junk as you end up with fake messages sent out.

--
Martin Hepworth
Oxford, UK


On 1 September 2011 08:17, Joolee <mailscanner at joolee.nl<mailto:mailscanner at joolee.nl> <mailto:mailscanner at joolee.nl<mailto:mailscanner at joolee.nl>>> wrote:

   Hallo Everybody,

   I've experienced a small flood of virus E-mails. These E-mails
   (subj.: "ACH Payment *random number* Canceled") contain
   attachments named like: "report_082011-65.pdf.exe"
   They obviously get blocked by the "no executables" and "No double
   file extensions" rules. The problem is that after blocking them,
   an automated E-mail is send to the original recipient and the     (faked) sender of the message, informing them of the blocked
   attachment.

   Had the E-mails been processed further, they would've probably hit
   the virusscanner (not tested) or spamassassin (gives a score of 27
   when tested) and the E-mail would've silently been discarded as a
   virus / spam / phishing.

   Is it possible to let the MailScanner continue it's processing
   when hitting the file name rules and / or running the filename
   rule at a later time?
   --
   MailScanner mailing list
   mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
   <mailto:mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>>

   http://lists.mailscanner.info/mailman/listinfo/mailscanner

   Before posting, read http://wiki.mailscanner.info/posting

   Support MailScanner development - buy the book off the website!





Jules

--
Julian Field MEng CITP CEng
www.MailScanner.info<http://www.MailScanner.info>

Buy the MailScanner book at www.MailScanner.info/store<http://www.MailScanner.info/store>
Need help customising MailScanner? Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM<http://twitter.com/JulesFM>

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/1ebc28c9/attachment.html

More information about the MailScanner mailing list