MS Doesn't completely block spam with faulty attachments

Joolee mailscanner at joolee.nl
Fri Sep 2 11:20:22 IST 2011 

A feature that i would like to be able to disable ;)

"Why would you want to spend precious resources on a meaningless check, when
you already decided to stop the offending attachment?!"
To inform my paying user why the contract he's been waiting for was blocked.

I think I already made quite clear why it's not an option for me to
completely block them. I can't see why other users can't be bothered by it,
maybe they just accept that they can't solve it? (Not my way of handling
problems)

On 1 September 2011 23:07, Glenn Steen <glenn.steen at gmail.com> wrote:

> That's not a problem, it's a feature... And a much needed one at that!
> Why would you want to spend precious resources on a meaningless check, when
> you already decided to stop the offending attachment?!
> Don't deliver it at all, if it bothers you;-)
>
> Cheers
> --
> -- Glenn
> Den 1 sep 2011 19:12 skrev "Joolee" <mailscanner at joolee.nl>:
>
> > The problem with the current spam is that they're blocked for containing
> exe
> > files, not double file extensions (Although they woul've hit that one if
> > exe's were not clocked.)
> >
> > Only quick temporary solution is to disable all file-name validation
> because
> > this can occur with more than just exe files and double extensions. This
> is
> > no final solution though.
> >
> > On 1 September 2011 18:40, Kevin Miller <Kevin_Miller at ci.juneau.ak.us
> >wrote:
> >
> >> **
> >> Easiest thing to do in that case is to comment out the line in
> >> filename.rules.conf that disallows double extensions. The message will
> be
> >> accepted as normal and go through the additional tests (is it an
> executable,
> >> is it a virus, is it spam, etc.)
> >>
> >>
> >> ...Kevin
> >> --
> >> Kevin Miller Registered Linux User No: 307357
> >> CBJ MIS Dept. Network Systems Admin., Mail Admin.
> >> 155 South Seward Street ph: (907) 586-0242
> >> Juneau, Alaska 99801 fax: (907 586-4500
> >>
> >>
> >> ------------------------------
> >> *From:* mailscanner-bounces at lists.mailscanner.info [mailto:
> >> mailscanner-bounces at lists.mailscanner.info] *On Behalf Of *Joolee
> >> *Sent:* Thursday, September 01, 2011 7:32 AM
> >> *To:* MailScanner discussion
> >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments
> >>
> >> I agree that it isn't a good idea to notify the sender of a spam or
> virus
> >> message I'm not planning to do that, I know the troubles of backscatter.
> >>
> >> What I've configured is that if a user sends a completely normal
> >> (non-virus, non-spam) E-mail but with, for instance, a file named
> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers).
> The
> >> server sends out a warning to sender and the original message stripped
> of
> >> it's attachment to the recipient of the message. Notifying the sender is
> not
> >> strictly necessary but if this is only done for such non-virus, non-spam
> >> message, it isn't a problem either.
> >>
> >> The situation that bugs me is when some spam message with a file named
> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename
> rule
> >> and* isn't processed any further to check if its a spam message*.
> Because
> >> it isn't processed any further, the warning messages are send out to
> both
> >> sender and original recipient.
> >>
> >> As I stated before, I can disable the sender notification. What I can't
> do
> >> is tell my customers (the recipients) that such wrongly named files,
> most
> >> containing important documents, are silently discarded. Sending spam to
> my
> >> customers that could have been recognized isn't an option either.
> >>
> >> The simplest solution, I think, would be to *continue processing* the
> >> message after a file name rule is hit, decide if the E-mail is HAM and
> in
> >> that case, send out the notifications. If the E-mail is spam, silently
> >> discard it.
> >> It would add a bit of load to the server but stopping spam is what it's
> all
> >> about, isn't it? :P
> >>
> >> On 1 September 2011 16:34, Julian Field <MailScanner at ecs.soton.ac.uk
> >wrote:
> >>
> >>> He's probably switched on some "Notify Senders" options. Bad idea :-(
> >>>
> >>>
> >>> On 01/09/2011 12:32, Martin Hepworth wrote:
> >>>
> >>>> what version of MS?
> >>>>
> >>>> I never inform the sender of junk as you end up with fake messages
> sent
> >>>> out.
> >>>>
> >>>> --
> >>>> Martin Hepworth
> >>>> Oxford, UK
> >>>>
> >>>>
> >>>> On 1 September 2011 08:17, Joolee <mailscanner at joolee.nl <mailto:
> >>>> mailscanner at joolee.nl>**> wrote:
> >>>>
> >>>> Hallo Everybody,
> >>>>
> >>>> I've experienced a small flood of virus E-mails. These E-mails
> >>>> (subj.: "ACH Payment *random number* Canceled") contain
> >>>> attachments named like: "report_082011-65.pdf.exe"
> >>>> They obviously get blocked by the "no executables" and "No double
> >>>> file extensions" rules. The problem is that after blocking them,
> >>>> an automated E-mail is send to the original recipient and the
> >>>> (faked) sender of the message, informing them of the blocked
> >>>> attachment.
> >>>>
> >>>> Had the E-mails been processed further, they would've probably hit
> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27
> >>>> when tested) and the E-mail would've silently been discarded as a
> >>>> virus / spam / phishing.
> >>>>
> >>>> Is it possible to let the MailScanner continue it's processing
> >>>> when hitting the file name rules and / or running the filename
> >>>> rule at a later time?
> >>>> --
> >>>> MailScanner mailing list
> >>>> mailscanner at lists.mailscanner.**info<
> mailscanner at lists.mailscanner.info>
> >>>> <mailto:mailscanner at lists.**mailscanner.info<
> mailscanner at lists.mailscanner.info>>
> >>>>
> >>>>
> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
> http://lists.mailscanner.info/mailman/listinfo/mailscanner>
> >>>>
> >>>> Before posting, read http://wiki.mailscanner.info/**posting<
> http://wiki.mailscanner.info/posting>
>
> >>>>
> >>>> Support MailScanner development - buy the book off the website!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Jules
> >>>>
> >>>> --
> >>>> Julian Field MEng CITP CEng
> >>>> www.MailScanner.info
> >>>>
> >>>> Buy the MailScanner book at www.MailScanner.info/store
> >>>> Need help customising MailScanner? Contact me!
> >>>>
> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>>> Follow me at twitter.com/JulesFM
> >>>>
> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011
> >>>> 'All programs have a desire to be useful' - Tron, 1982
> >>>>
> >>>
> >>> --
> >>> This message has been scanned for viruses and
> >>> dangerous content by MailScanner, and is
> >>> believed to be clean.
> >>>
> >>> --
> >>> MailScanner mailing list
> >>> mailscanner at lists.mailscanner.**info <
> mailscanner at lists.mailscanner.info>
> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner<
> http://lists.mailscanner.info/mailman/listinfo/mailscanner>
> >>>
> >>> Before posting, read http://wiki.mailscanner.info/**posting<
> http://wiki.mailscanner.info/posting>
>
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>>
> >>
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> >>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/7c260b7f/attachment-0001.html

More information about the MailScanner mailing list