MS Doesn't completely block spam with faulty attachments

Glenn Steen glenn.steen at gmail.com
Thu Sep 1 22:07:43 IST 2011 

That's not a problem, it's a feature... And a much needed one at that!
Why would you want to spend precious resources on a meaningless check, when
you already decided to stop the offending attachment?!
Don't deliver it at all, if it bothers you;-)

Cheers
-- 
-- Glenn
Den 1 sep 2011 19:12 skrev "Joolee" <mailscanner at joolee.nl>:
> The problem with the current spam is that they're blocked for containing
exe
> files, not double file extensions (Although they woul've hit that one if
> exe's were not clocked.)
>
> Only quick temporary solution is to disable all file-name validation
because
> this can occur with more than just exe files and double extensions. This
is
> no final solution though.
>
> On 1 September 2011 18:40, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
>wrote:
>
>> **
>> Easiest thing to do in that case is to comment out the line in
>> filename.rules.conf that disallows double extensions. The message will be
>> accepted as normal and go through the additional tests (is it an
executable,
>> is it a virus, is it spam, etc.)
>>
>>
>> ...Kevin
>> --
>> Kevin Miller Registered Linux User No: 307357
>> CBJ MIS Dept. Network Systems Admin., Mail Admin.
>> 155 South Seward Street ph: (907) 586-0242
>> Juneau, Alaska 99801 fax: (907 586-4500
>>
>>
>> ------------------------------
>> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
>> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Joolee
>> *Sent:* Thursday, September 01, 2011 7:32 AM
>> *To:* MailScanner discussion
>> *Subject:* Re: MS Doesn't completely block spam with faulty attachments
>>
>> I agree that it isn't a good idea to notify the sender of a spam or virus
>> message I'm not planning to do that, I know the troubles of backscatter.
>>
>> What I've configured is that if a user sends a completely normal
>> (non-virus, non-spam) E-mail but with, for instance, a file named
>> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The
>> server sends out a warning to sender and the original message stripped of
>> it's attachment to the recipient of the message. Notifying the sender is
not
>> strictly necessary but if this is only done for such non-virus, non-spam
>> message, it isn't a problem either.
>>
>> The situation that bugs me is when some spam message with a file named
>> "CurriculumVitae.doc.pdf" is received. The message hits the filename rule
>> and* isn't processed any further to check if its a spam message*. Because
>> it isn't processed any further, the warning messages are send out to both
>> sender and original recipient.
>>
>> As I stated before, I can disable the sender notification. What I can't
do
>> is tell my customers (the recipients) that such wrongly named files, most
>> containing important documents, are silently discarded. Sending spam to
my
>> customers that could have been recognized isn't an option either.
>>
>> The simplest solution, I think, would be to *continue processing* the
>> message after a file name rule is hit, decide if the E-mail is HAM and in
>> that case, send out the notifications. If the E-mail is spam, silently
>> discard it.
>> It would add a bit of load to the server but stopping spam is what it's
all
>> about, isn't it? :P
>>
>> On 1 September 2011 16:34, Julian Field <MailScanner at ecs.soton.ac.uk
>wrote:
>>
>>> He's probably switched on some "Notify Senders" options. Bad idea :-(
>>>
>>>
>>> On 01/09/2011 12:32, Martin Hepworth wrote:
>>>
>>>> what version of MS?
>>>>
>>>> I never inform the sender of junk as you end up with fake messages sent
>>>> out.
>>>>
>>>> --
>>>> Martin Hepworth
>>>> Oxford, UK
>>>>
>>>>
>>>> On 1 September 2011 08:17, Joolee <mailscanner at joolee.nl <mailto:
>>>> mailscanner at joolee.nl>**> wrote:
>>>>
>>>> Hallo Everybody,
>>>>
>>>> I've experienced a small flood of virus E-mails. These E-mails
>>>> (subj.: "ACH Payment *random number* Canceled") contain
>>>> attachments named like: "report_082011-65.pdf.exe"
>>>> They obviously get blocked by the "no executables" and "No double
>>>> file extensions" rules. The problem is that after blocking them,
>>>> an automated E-mail is send to the original recipient and the
>>>> (faked) sender of the message, informing them of the blocked
>>>> attachment.
>>>>
>>>> Had the E-mails been processed further, they would've probably hit
>>>> the virusscanner (not tested) or spamassassin (gives a score of 27
>>>> when tested) and the E-mail would've silently been discarded as a
>>>> virus / spam / phishing.
>>>>
>>>> Is it possible to let the MailScanner continue it's processing
>>>> when hitting the file name rules and / or running the filename
>>>> rule at a later time?
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.**info<mailscanner at lists.mailscanner.info
>
>>>> <mailto:mailscanner at lists.**mailscanner.info<
mailscanner at lists.mailscanner.info>>
>>>>
>>>>
>>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/**posting<
http://wiki.mailscanner.info/posting>
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Jules
>>>>
>>>> --
>>>> Julian Field MEng CITP CEng
>>>> www.MailScanner.info
>>>>
>>>> Buy the MailScanner book at www.MailScanner.info/store
>>>> Need help customising MailScanner? Contact me!
>>>>
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>> Follow me at twitter.com/JulesFM
>>>>
>>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011
>>>> 'All programs have a desire to be useful' - Tron, 1982
>>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.**info <mailscanner at lists.mailscanner.info
>
>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
http://lists.mailscanner.info/mailman/listinfo/mailscanner>
>>>
>>> Before posting, read http://wiki.mailscanner.info/**posting<
http://wiki.mailscanner.info/posting>
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/230b8d7d/attachment.html

More information about the MailScanner mailing list