"How can you tell if it's a good double extension file (ie what the server THINKS NOW is non-spam/non-malware)"<br>You can't, that's my whole point. I think the behavior to just replace the file with a warning message and send the mail through is the perfect solution. My only problem is that this method should NOT be used when the mail hits other spam traps. (Virus Scanner, Spamassassin) In that case, the message should just be handled like any other spam message.<br>
<br>What happens now is that the file with double extension (or other stuff hitting the file name rules like ridiculously long file names) gets replaced with a warning message and directly send to the recipient. Mailscanner doesn't care if it's a spam message or not. This places phishing or spam messages in my users mailboxes. The harmful attachments are stripped but the message should have been blocked because it woul've hit other spam traps IF Mailscanner would take the trouble of processing the message further.<br>
<br>I could just block all E-mails completely that hit such rules but with the amount of false positives, that's not an option. Disabling these rules altogether is possible but not a long term solution. I'm trying to revert the 20090730 changes in the MailScanner binary. That will probably solve it but isn't very convenient with future updates.<br>
<br><div class="gmail_quote">On 2 September 2011 13:18, Martin Hepworth <span dir="ltr"><<a href="mailto:maxsec@gmail.com" target="_blank">maxsec@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
How can you tell if it's a good double extension file (ie what the server THINKS NOW is non-spam/non-malware) vs what is actually bad vs a new virus signature that comes after the event that would flag the file as problematic. The double extn trap is designed to solve a particular trick the bad guys started playing years ago and the AV's weren't picking them up fast enough.<br>
<br> drop the double extn check and let them through if this is causing too many issues (false positives) - you can even do this on a per recipient/domain level (<a href="http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading" target="_blank">http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading</a>) for common recipients of this stuff, or educate the users that it's bad and wrong and they should cleanup the filenames before sending. or both!<br>
<br>Either<br><font color="#888888"><br clear="all">-- <br>Martin Hepworth<br>Oxford, UK</font><div><div></div><div><br>
<br><br><div class="gmail_quote">On 2 September 2011 11:20, Joolee <span dir="ltr"><<a href="mailto:mailscanner@joolee.nl" target="_blank">mailscanner@joolee.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
A feature that i would like to be able to disable ;)<div><br><br>"Why would you want to spend precious resources on a meaningless check,
when you already decided to stop the offending attachment?!"<br></div>To inform my paying user why the contract he's been waiting for was blocked.<br><br>I think I already made quite clear why it's not an option for me to completely block them. I can't see why other users can't be bothered by it, maybe they just accept that they can't solve it? (Not my way of handling problems)<div>
<div></div><div><br>
<br><div class="gmail_quote">On 1 September 2011 23:07, Glenn Steen <span dir="ltr"><<a href="mailto:glenn.steen@gmail.com" target="_blank">glenn.steen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>That's not a problem, it's a feature... And a much needed one at that!<br>
Why would you want to spend precious resources on a meaningless check, when you already decided to stop the offending attachment?!<br>
Don't deliver it at all, if it bothers you;-) </p>
<p>Cheers<br>
-- <br>
-- Glenn</p>
<div class="gmail_quote">Den 1 sep 2011 19:12 skrev "Joolee" <<a href="mailto:mailscanner@joolee.nl" target="_blank">mailscanner@joolee.nl</a>>:<div><div></div><div><br type="attribution">> The problem with the current spam is that they're blocked for containing exe<br>
> files, not double file extensions (Although they woul've hit that one if<br>> exe's were not clocked.)<br>> <br>> Only quick temporary solution is to disable all file-name validation because<br>> this can occur with more than just exe files and double extensions. This is<br>
> no final solution though.<br>> <br>> On 1 September 2011 18:40, Kevin Miller <<a href="mailto:Kevin_Miller@ci.juneau.ak.us" target="_blank">Kevin_Miller@ci.juneau.ak.us</a>>wrote:<br>> <br>>> **<br>
>> Easiest thing to do in that case is to comment out the line in<br>
>> filename.rules.conf that disallows double extensions. The message will be<br>>> accepted as normal and go through the additional tests (is it an executable,<br>>> is it a virus, is it spam, etc.)<br>
>><br>>><br>>> ...Kevin<br>>> --<br>>> Kevin Miller Registered Linux User No: 307357<br>>> CBJ MIS Dept. Network Systems Admin., Mail Admin.<br>>> 155 South Seward Street ph: <a href="tel:%28907%29%20586-0242" value="+19075860242" target="_blank">(907) 586-0242</a><br>
>> Juneau, Alaska 99801 fax: <a href="tel:%28907%20586-4500" value="+19075864500" target="_blank">(907 586-4500</a><br>>><br>>><br>>> ------------------------------<br>>> *From:* <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a> [mailto:<br>
>> <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>] *On Behalf Of *Joolee<br>>> *Sent:* Thursday, September 01, 2011 7:32 AM<br>>> *To:* MailScanner discussion<br>
>> *Subject:* Re: MS Doesn't completely block spam with faulty attachments<br>>><br>>> I agree that it isn't a good idea to notify the sender of a spam or virus<br>>> message I'm not planning to do that, I know the troubles of backscatter.<br>
>><br>>> What I've configured is that if a user sends a completely normal<br>>> (non-virus, non-spam) E-mail but with, for instance, a file named<br>>> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The<br>
>> server sends out a warning to sender and the original message stripped of<br>>> it's attachment to the recipient of the message. Notifying the sender is not<br>>> strictly necessary but if this is only done for such non-virus, non-spam<br>
>> message, it isn't a problem either.<br>>><br>>> The situation that bugs me is when some spam message with a file named<br>>> "CurriculumVitae.doc.pdf" is received. The message hits the filename rule<br>
>> and* isn't processed any further to check if its a spam message*. Because<br>>> it isn't processed any further, the warning messages are send out to both<br>>> sender and original recipient.<br>
>><br>>> As I stated before, I can disable the sender notification. What I can't do<br>>> is tell my customers (the recipients) that such wrongly named files, most<br>>> containing important documents, are silently discarded. Sending spam to my<br>
>> customers that could have been recognized isn't an option either.<br>>><br>>> The simplest solution, I think, would be to *continue processing* the<br>>> message after a file name rule is hit, decide if the E-mail is HAM and in<br>
>> that case, send out the notifications. If the E-mail is spam, silently<br>>> discard it.<br>>> It would add a bit of load to the server but stopping spam is what it's all<br>>> about, isn't it? :P<br>
>><br>>> On 1 September 2011 16:34, Julian Field <<a href="mailto:MailScanner@ecs.soton.ac.uk" target="_blank">MailScanner@ecs.soton.ac.uk</a>>wrote:<br>>><br>>>> He's probably switched on some "Notify Senders" options. Bad idea :-(<br>
>>><br>>>><br>>>> On 01/09/2011 12:32, Martin Hepworth wrote:<br>>>><br>>>>> what version of MS?<br>>>>><br>>>>> I never inform the sender of junk as you end up with fake messages sent<br>
>>>> out.<br>>>>><br>>>>> --<br>>>>> Martin Hepworth<br>>>>> Oxford, UK<br>>>>><br>>>>><br>>>>> On 1 September 2011 08:17, Joolee <<a href="mailto:mailscanner@joolee.nl" target="_blank">mailscanner@joolee.nl</a> <mailto:<br>
>>>> <a href="mailto:mailscanner@joolee.nl" target="_blank">mailscanner@joolee.nl</a>>**> wrote:<br>>>>><br>>>>> Hallo Everybody,<br>>>>><br>>>>> I've experienced a small flood of virus E-mails. These E-mails<br>
>>>> (subj.: "ACH Payment *random number* Canceled") contain<br>>>>> attachments named like: "report_082011-65.pdf.exe"<br>>>>> They obviously get blocked by the "no executables" and "No double<br>
>>>> file extensions" rules. The problem is that after blocking them,<br>>>>> an automated E-mail is send to the original recipient and the<br>>>>> (faked) sender of the message, informing them of the blocked<br>
>>>> attachment.<br>>>>><br>>>>> Had the E-mails been processed further, they would've probably hit<br>>>>> the virusscanner (not tested) or spamassassin (gives a score of 27<br>
>>>> when tested) and the E-mail would've silently been discarded as a<br>>>>> virus / spam / phishing.<br>>>>><br>>>>> Is it possible to let the MailScanner continue it's processing<br>
>>>> when hitting the file name rules and / or running the filename<br>>>>> rule at a later time?<br>>>>> --<br>>>>> MailScanner mailing list<br></div></div>>>>> mailscanner@lists.mailscanner.**info<<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a>><br>
>>>> <mailto:<a href="mailto:mailscanner@lists." target="_blank">mailscanner@lists.</a>**<a href="http://mailscanner.info" target="_blank">mailscanner.info</a><<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a>>><br>
>>>><br>>>>><br>>>>> <a href="http://lists.mailscanner.info/**mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/**mailman/listinfo/mailscanner</a><<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a>><br>
>>>><br>>>>> Before posting, read <a href="http://wiki.mailscanner.info/**posting" target="_blank">http://wiki.mailscanner.info/**posting</a><<a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a>><div>
<br>
>>>><br>>>>> Support MailScanner development - buy the book off the website!<br>>>>><br>>>>><br>>>>><br>>>>><br>>>>><br>>>>> Jules<br>
>>>><br>>>>> --<br>>>>> Julian Field MEng CITP CEng<br>>>>> <a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>>>>><br>>>>> Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
>>>> Need help customising MailScanner? Contact me!<br>>>>><br>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>>>>> Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a><br>
>>>><br>>>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011<br>>>>> 'All programs have a desire to be useful' - Tron, 1982<br>>>>><br>
>>><br>>>> --<br>>>> This message has been scanned for viruses and<br>>>> dangerous content by MailScanner, and is<br>>>> believed to be clean.<br>>>><br>>>> --<br>
>>> MailScanner mailing list<br></div>>>> mailscanner@lists.mailscanner.**info <<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a>><br>>>> <a href="http://lists.mailscanner.info/**mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/**mailman/listinfo/mailscanner</a><<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a>><br>
>>><br>>>> Before posting, read <a href="http://wiki.mailscanner.info/**posting" target="_blank">http://wiki.mailscanner.info/**posting</a><<a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a>><div>
<br>
>>><br>>>> Support MailScanner development - buy the book off the website!<br>>>><br>>><br>>><br>>> --<br>>> MailScanner mailing list<br>>> <a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>>><br>>> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
>><br>>> Support MailScanner development - buy the book off the website!<br>>><br>>><br></div></div>
<br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br>
</div></div><br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br>
</div></div><br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br>