MS Doesn't completely block spam with faulty attachments
Jules Field
MailScanner at ecs.soton.ac.uk
Thu Sep 1 18:41:35 IST 2011
Have you considered using something like "deny+delete" in your
filename.rules.conf instead of just "deny"? There are all sorts of
clever things you can do in those files. It's all documented at the top
of the default files I ship in the distribution.
Jules.
On 01/09/2011 18:06, Joolee wrote:
> The problem with the current spam is that they're blocked for
> containing exe files, not double file extensions (Although they
> woul've hit that one if exe's were not clocked.)
>
> Only quick temporary solution is to disable all file-name validation
> because this can occur with more than just exe files and double
> extensions. This is no final solution though.
>
> On 1 September 2011 18:40, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
> <mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
>
> Easiest thing to do in that case is to comment out the line in
> filename.rules.conf that disallows double extensions. The message
> will be accepted as normal and go through the additional tests (is
> it an executable, is it a virus, is it spam, etc.)
>
> ...Kevin
> --
> Kevin Miller Registered Linux User No: 307357
> CBJ MIS Dept. Network Systems Admin., Mail Admin.
> 155 South Seward Street ph: (907) 586-0242
> Juneau, Alaska 99801 fax: (907 586-4500
>
>
> ------------------------------------------------------------------------
> *From:* mailscanner-bounces at lists.mailscanner.info
> <mailto:mailscanner-bounces at lists.mailscanner.info>
> [mailto:mailscanner-bounces at lists.mailscanner.info
> <mailto:mailscanner-bounces at lists.mailscanner.info>] *On Behalf Of
> *Joolee
> *Sent:* Thursday, September 01, 2011 7:32 AM
> *To:* MailScanner discussion
> *Subject:* Re: MS Doesn't completely block spam with faulty
> attachments
>
> I agree that it isn't a good idea to notify the sender of a spam
> or virus message I'm not planning to do that, I know the troubles
> of backscatter.
>
> What I've configured is that if a user sends a completely normal
> (non-virus, non-spam) E-mail but with, for instance, a file named
> "CurriculumVitae.doc.pdf" (default output for a lot of PDF
> printers). The server sends out a warning to sender and the
> original message stripped of it's attachment to the recipient of
> the message. Notifying the sender is not strictly necessary but if
> this is only done for such non-virus, non-spam message, it isn't a
> problem either.
>
> The situation that bugs me is when some spam message with a file
> named "CurriculumVitae.doc.pdf" is received. The message hits the
> filename rule and*isn't processed any further to check if its a
> spam message*. Because it isn't processed any further, the warning
> messages are send out to both sender and original recipient.
>
> As I stated before, I can disable the sender notification. What I
> can't do is tell my customers (the recipients) that such wrongly
> named files, most containing important documents, are silently
> discarded. Sending spam to my customers that could have been
> recognized isn't an option either.
>
> The simplest solution, I think, would be to *continue processing*
> the message after a file name rule is hit, decide if the E-mail is
> HAM and in that case, send out the notifications. If the E-mail is
> spam, silently discard it.
> It would add a bit of load to the server but stopping spam is what
> it's all about, isn't it? :P
>
> On 1 September 2011 16:34, Julian Field
> <MailScanner at ecs.soton.ac.uk <mailto:MailScanner at ecs.soton.ac.uk>>
> wrote:
>
> He's probably switched on some "Notify Senders" options. Bad
> idea :-(
>
>
> On 01/09/2011 12:32, Martin Hepworth wrote:
>
> what version of MS?
>
> I never inform the sender of junk as you end up with fake
> messages sent out.
>
> --
> Martin Hepworth
> Oxford, UK
>
>
> On 1 September 2011 08:17, Joolee <mailscanner at joolee.nl
> <mailto:mailscanner at joolee.nl>
> <mailto:mailscanner at joolee.nl
> <mailto:mailscanner at joolee.nl>>> wrote:
>
> Hallo Everybody,
>
> I've experienced a small flood of virus E-mails. These
> E-mails
> (subj.: "ACH Payment *random number* Canceled") contain
> attachments named like: "report_082011-65.pdf.exe"
> They obviously get blocked by the "no executables" and
> "No double
> file extensions" rules. The problem is that after
> blocking them,
> an automated E-mail is send to the original recipient
> and the (faked) sender of the message, informing them
> of the blocked
> attachment.
>
> Had the E-mails been processed further, they would've
> probably hit
> the virusscanner (not tested) or spamassassin (gives a
> score of 27
> when tested) and the E-mail would've silently been
> discarded as a
> virus / spam / phishing.
>
> Is it possible to let the MailScanner continue it's
> processing
> when hitting the file name rules and / or running the
> filename
> rule at a later time?
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>
> <mailto:mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>>
>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the
> website!
>
>
>
>
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info <http://www.MailScanner.info>
>
> Buy the MailScanner book at www.MailScanner.info/store
> <http://www.MailScanner.info/store>
> Need help customising MailScanner? Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947
> 1415 B654
> Follow me at twitter.com/JulesFM <http://twitter.com/JulesFM>
>
> 'It's okay to live without all the answers' - Charlie
> Eppes, 2011
> 'All programs have a desire to be useful' - Tron, 1982
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
>
>
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
>
> Buy the MailScanner book at www.MailScanner.info/store
> Need help customising MailScanner? Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM
>
> 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait 'All programs have a desire to be useful' - Tron, 1982
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list