<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7601.17655"></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT color=#0000ff size=2
face=Arial></FONT> </DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT
color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of
</B>Joolee<BR><B>Sent:</B> Friday, September 02, 2011 6:20 AM<BR><B>To:</B>
MailScanner discussion<BR><B>Subject:</B> Re: MS Doesn't completely block spam
with faulty attachments<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>A feature that i would like to be able to disable ;)<BR><BR>"Why would you
want to spend precious resources on a meaningless check, when you already
decided to stop the offending attachment?!"<BR>To inform my paying user why the
contract he's been waiting for was blocked.<BR><BR>I think I already made quite
clear why it's not an option for me to completely block them. I can't see why
other users can't be bothered by it, maybe they just accept that they can't
solve it? (Not my way of handling problems)<BR><SPAN
class=702304212-02092011><FONT color=#0000ff size=2 face=Arial>[Rick
Cooper] </FONT></SPAN></DIV>
<DIV><SPAN class=702304212-02092011><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=702304212-02092011><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=702304212-02092011><FONT color=#0000ff size=2 face=Arial>Seems
like you need to modify your multiple extension rules to include dangerous
extensions and ignore the rest. for instance a rule like</FONT></SPAN></DIV>
<DIV><SPAN class=702304212-02092011><FONT color=#0000ff size=2
face=Arial>/\.(exe|com|bat|vbs)\..+$</FONT><FONT color=#0000ff size=2
face=Arial>/</FONT></SPAN></DIV>
<DIV><SPAN class=702304212-02092011><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=702304212-02092011><FONT color=#0000ff size=2 face=Arial>would
allow "something.good.doc.pdf" but would catch
"something.bad.doc.exe.pdf". Of course you would want (exe|vbs|com|bat) to
include extensions that you feel should be blocked in the multiple
extension rule. I had to change mine long ago because there are a *lot* of
people who create files names like "something.good.09.01.2011.doc". The default
rules are there for out of the box functionality but you can modify them as
required for your given situation and clearly you need to pass multiple
extensions that are not likely to be malware. With MailScanner you can generally
solve any issues without accepting the default rules, or asking for something
else to be added either. There has been discussion in the past regarding being
able to define the order in which the processing events take place but this
would require a HUGE change in the core of MailScanner and Julian does have a
job that puts food on the table. Unless MailScanner evolves into a programming
team or group that is not likely to ever happen.</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT
color=#0000ff size=2 face=Arial></FONT><BR><BR></DIV>
<DIV class=gmail_quote>On 1 September 2011 23:07, Glenn Steen <SPAN
dir=ltr><<A href="mailto:glenn.steen@gmail.com"
target=_blank>glenn.steen@gmail.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<P>That's not a problem, it's a feature... And a much needed one at
that!<BR>Why would you want to spend precious resources on a meaningless
check, when you already decided to stop the offending attachment?!<BR>Don't
deliver it at all, if it bothers you;-) </P>
<P>Cheers<BR>-- <BR>-- Glenn</P>
<DIV class=gmail_quote>Den 1 sep 2011 19:12 skrev "Joolee" <<A
href="mailto:mailscanner@joolee.nl"
target=_blank>mailscanner@joolee.nl</A>>:
<DIV>
<DIV></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT
color=#0000ff size=2 face=Arial></FONT><BR type="attribution">> The problem
with the current spam is that they're blocked for containing exe<BR>>
files, not double file extensions (Although they woul've hit that one
if<BR>> exe's were not clocked.)<BR>> <BR>> Only quick temporary
solution is to disable all file-name validation because<BR>> this can occur
with more than just exe files and double extensions. This is<BR>> no final
solution though.<BR>> <BR>> On 1 September 2011 18:40, Kevin Miller
<<A href="mailto:Kevin_Miller@ci.juneau.ak.us"
target=_blank>Kevin_Miller@ci.juneau.ak.us</A>>wrote:<BR>> <BR>>>
**<BR>>> Easiest thing to do in that case is to comment out the line
in<BR>>> filename.rules.conf that disallows double extensions. The
message will be<BR>>> accepted as normal and go through the additional
tests (is it an executable,<BR>>> is it a virus, is it spam,
etc.)<BR>>><BR>>><BR>>> ...Kevin<BR>>> --<BR>>>
Kevin Miller Registered Linux User No: 307357<BR>>> CBJ MIS Dept.
Network Systems Admin., Mail Admin.<BR>>> 155 South Seward Street ph:
(907) 586-0242<BR>>> Juneau, Alaska 99801 fax: (907
586-4500<BR>>><BR>>><BR>>>
------------------------------<BR>>> *From:* <A
href="mailto:mailscanner-bounces@lists.mailscanner.info"
target=_blank>mailscanner-bounces@lists.mailscanner.info</A>
[mailto:<BR>>> <A
href="mailto:mailscanner-bounces@lists.mailscanner.info"
target=_blank>mailscanner-bounces@lists.mailscanner.info</A>] *On Behalf Of
*Joolee<BR>>> *Sent:* Thursday, September 01, 2011 7:32 AM<BR>>>
*To:* MailScanner discussion<BR>>> *Subject:* Re: MS Doesn't completely
block spam with faulty attachments<BR>>><BR>>> I agree that it
isn't a good idea to notify the sender of a spam or virus<BR>>> message
I'm not planning to do that, I know the troubles of
backscatter.<BR>>><BR>>> What I've configured is that if a user
sends a completely normal<BR>>> (non-virus, non-spam) E-mail but with,
for instance, a file named<BR>>> "CurriculumVitae.doc.pdf" (default
output for a lot of PDF printers). The<BR>>> server sends out a warning
to sender and the original message stripped of<BR>>> it's attachment to
the recipient of the message. Notifying the sender is not<BR>>> strictly
necessary but if this is only done for such non-virus, non-spam<BR>>>
message, it isn't a problem either.<BR>>><BR>>> The situation that
bugs me is when some spam message with a file named<BR>>>
"CurriculumVitae.doc.pdf" is received. The message hits the filename
rule<BR>>> and* isn't processed any further to check if its a spam
message*. Because<BR>>> it isn't processed any further, the warning
messages are send out to both<BR>>> sender and original
recipient.<BR>>><BR>>> As I stated before, I can disable the
sender notification. What I can't do<BR>>> is tell my customers (the
recipients) that such wrongly named files, most<BR>>> containing
important documents, are silently discarded. Sending spam to my<BR>>>
customers that could have been recognized isn't an option
either.<BR>>><BR>>> The simplest solution, I think, would be to
*continue processing* the<BR>>> message after a file name rule is hit,
decide if the E-mail is HAM and in<BR>>> that case, send out the
notifications. If the E-mail is spam, silently<BR>>> discard
it.<BR>>> It would add a bit of load to the server but stopping spam is
what it's all<BR>>> about, isn't it? :P<BR>>><BR>>> On 1
September 2011 16:34, Julian Field <<A
href="mailto:MailScanner@ecs.soton.ac.uk"
target=_blank>MailScanner@ecs.soton.ac.uk</A>>wrote:<BR>>><BR>>>>
He's probably switched on some "Notify Senders" options. Bad idea
:-(<BR>>>><BR>>>><BR>>>> On 01/09/2011 12:32,
Martin Hepworth wrote:<BR>>>><BR>>>>> what version of
MS?<BR>>>>><BR>>>>> I never inform the sender of junk
as you end up with fake messages sent<BR>>>>>
out.<BR>>>>><BR>>>>> --<BR>>>>> Martin
Hepworth<BR>>>>> Oxford,
UK<BR>>>>><BR>>>>><BR>>>>> On 1 September
2011 08:17, Joolee <<A href="mailto:mailscanner@joolee.nl"
target=_blank>mailscanner@joolee.nl</A> <mailto:<BR>>>>> <A
href="mailto:mailscanner@joolee.nl"
target=_blank>mailscanner@joolee.nl</A>>**>
wrote:<BR>>>>><BR>>>>> Hallo
Everybody,<BR>>>>><BR>>>>> I've experienced a small
flood of virus E-mails. These E-mails<BR>>>>> (subj.: "ACH Payment
*random number* Canceled") contain<BR>>>>> attachments named like:
"report_082011-65.pdf.exe"<BR>>>>> They obviously get blocked by
the "no executables" and "No double<BR>>>>> file extensions"
rules. The problem is that after blocking them,<BR>>>>> an
automated E-mail is send to the original recipient and the<BR>>>>>
(faked) sender of the message, informing them of the
blocked<BR>>>>>
attachment.<BR>>>>><BR>>>>> Had the E-mails been
processed further, they would've probably hit<BR>>>>> the
virusscanner (not tested) or spamassassin (gives a score of
27<BR>>>>> when tested) and the E-mail would've silently been
discarded as a<BR>>>>> virus / spam /
phishing.<BR>>>>><BR>>>>> Is it possible to let the
MailScanner continue it's processing<BR>>>>> when hitting the file
name rules and / or running the filename<BR>>>>> rule at a later
time?<BR>>>>> --<BR>>>>> MailScanner mailing
list<BR></DIV></DIV>>>>>
mailscanner@lists.mailscanner.**info<<A
href="mailto:mailscanner@lists.mailscanner.info"
target=_blank>mailscanner@lists.mailscanner.info</A>><BR>>>>>
<mailto:<A href="mailto:mailscanner@lists."
target=_blank>mailscanner@lists.</A>**<A href="http://mailscanner.info"
target=_blank>mailscanner.info</A><<A
href="mailto:mailscanner@lists.mailscanner.info"
target=_blank>mailscanner@lists.mailscanner.info</A>>><BR>>>>><BR>>>>><BR>>>>>
<A href="http://lists.mailscanner.info/**mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/**mailman/listinfo/mailscanner</A><<A
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A>><BR>>>>><BR>>>>>
Before posting, read <A href="http://wiki.mailscanner.info/**posting"
target=_blank>http://wiki.mailscanner.info/**posting</A><<A
href="http://wiki.mailscanner.info/posting"
target=_blank>http://wiki.mailscanner.info/posting</A>>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT><FONT color=#0000ff size=2
face=Arial></FONT><BR>>>>><BR>>>>> Support MailScanner
development - buy the book off the
website!<BR>>>>><BR>>>>><BR>>>>><BR>>>>><BR>>>>><BR>>>>>
Jules<BR>>>>><BR>>>>> --<BR>>>>> Julian
Field MEng CITP CEng<BR>>>>> <A href="http://www.MailScanner.info"
target=_blank>www.MailScanner.info</A><BR>>>>><BR>>>>>
Buy the MailScanner book at <A href="http://www.MailScanner.info/store"
target=_blank>www.MailScanner.info/store</A><BR>>>>> Need help
customising MailScanner? Contact me!<BR>>>>><BR>>>>>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415
B654<BR>>>>> Follow me at <A href="http://twitter.com/JulesFM"
target=_blank>twitter.com/JulesFM</A><BR>>>>><BR>>>>>
'It's okay to live without all the answers' - Charlie Eppes,
2011<BR>>>>> 'All programs have a desire to be useful' - Tron,
1982<BR>>>>><BR>>>><BR>>>> --<BR>>>>
This message has been scanned for viruses and<BR>>>> dangerous
content by MailScanner, and is<BR>>>> believed to be
clean.<BR>>>><BR>>>> --<BR>>>> MailScanner mailing
list<BR></DIV>>>> mailscanner@lists.mailscanner.**info <<A
href="mailto:mailscanner@lists.mailscanner.info"
target=_blank>mailscanner@lists.mailscanner.info</A>><BR>>>> <A
href="http://lists.mailscanner.info/**mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/**mailman/listinfo/mailscanner</A><<A
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A>><BR>>>><BR>>>>
Before posting, read <A href="http://wiki.mailscanner.info/**posting"
target=_blank>http://wiki.mailscanner.info/**posting</A><<A
href="http://wiki.mailscanner.info/posting"
target=_blank>http://wiki.mailscanner.info/posting</A>>
<DIV><BR>>>><BR>>>> Support MailScanner development - buy
the book off the website!<BR>>>><BR>>><BR>>><BR>>>
--<BR>>> MailScanner mailing list<BR>>> <A
href="mailto:mailscanner@lists.mailscanner.info"
target=_blank>mailscanner@lists.mailscanner.info</A><BR>>> <A
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A><BR>>><BR>>>
Before posting, read <A href="http://wiki.mailscanner.info/posting"
target=_blank>http://wiki.mailscanner.info/posting</A><BR>>><BR>>>
Support MailScanner development - buy the book off the
website!<BR>>><BR>>><BR></DIV></DIV><BR>--<BR>MailScanner mailing
list<BR><A href="mailto:mailscanner@lists.mailscanner.info"
target=_blank>mailscanner@lists.mailscanner.info</A><BR><A
href="http://lists.mailscanner.info/mailman/listinfo/mailscanner"
target=_blank>http://lists.mailscanner.info/mailman/listinfo/mailscanner</A><BR><BR>Before
posting, read <A href="http://wiki.mailscanner.info/posting"
target=_blank>http://wiki.mailscanner.info/posting</A><BR><BR>Support
MailScanner development - buy the book off the
website!<BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>