Re: [Qmail-scanner-general].zip attactments with .exe are being blocked

Sun, 07 Sep 2003 23:54:30 -0700 

hi Jason,

read the text contained in quarantine-attachments.txt carefully:

[snip]
.exe    0    Executeable attachment too large
# That would ban .EXE files from your site (but would
# still allow .zip files)..
[/snip]

this will block all *.exe-files (no matter of which size they are), but
won't block any other file-type like zip or mp3.
for sure qmail-scanner will NOT unzip your files and scan for exe-file in
it..
if you want to block exe-files larger than 1MB i think you should use
something like:

.exe 1024 Executeable att. too large

i'm not sure if the size is in bytes or other.



-cornelius


----- Original Message -----
From: "Jason Lieurance" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 08, 2003 3:33 AM
Subject: [Qmail-scanner-general].zip attactments with .exe are being blocked


> Hello,
>
> I have a freebsd 4.7 email server with qmail, courier-imap, squirrelmail,
clamav,
> spam assassin, qmail-scanner, etc. Anyway, everything works great except
zip
> attactments with .exe are being blocked. Here is a snip of of
> quarantine-attachments.txt file:
>
> [snip]
> .exe        0        Executable attachment too large
> #
> # That would ban .EXE files from your site (but would
> # still allow .zip files...
> #
> # .mp3        0        MP3 attachments disallowed
> #
> # ...would stop any Email containing MP3 attachments passing.
> #
> # NOTE 4: No you can't use  this to ban any file (i.e. *.*) that's over
> # a certain size  - you should
> # "echo 10000000 > /var/qmail/control/databytes"
> # to set the maximum SMTP message size to 10Mb.
> #
> # NOTE 5: The second option allows you to match on header. This would
allow
> # you to block Email viruses when you don't know anything else other than
> # there's a wierd Subject line (or From line, or X-Spanska: header, ...).
> # Note that it's a case-sensitive, REGEX string, and the system will
> # automatically surround it with ^ and $ before matching. i.e. if you
> # want wildcards, explicitly put them in...
> #
> # The string _must_be_ "Virus-" followed by the header you wish to match
> # on - followed by a colon (:).
> #
> # e.g.
> #
> # Pickles.*Breakfast        Virus-Subject:        Fake Example Pickles
virus
> #
> # will match "Subject: Pickles for Breakfast" - and
> # not "Subject: Pickles - where did you go?"
> #
> #
> # NOTE 6: Similar to the headers option, you can match on the mail
ENVELOPE
> # headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
> # Virus-<header>, except that the header names are MAILFROM and RCPTTO
only.
> #
> # e.g.
> #
> # [EMAIL PROTECTED]        Virus-MAILFROM:        Bad mail envelope not
allowed here!
> #
> # NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to
match
> # actions against the IP address of the SMTP client.
> #
>
> EICAR.COM                69        EICAR Test Virus
> Happy99.exe                10000        Happy99 Trojan
> zipped_files.exe        120495        W32/ExploreZip.worm.pak virus
> ILOVEYOU                Virus-Subject:        Love Letter Virus/Trojan
> message/partial                Virus-Content-Type:        Message/partial
MIME
> attachments blocked by policy
> #The following matches Date: headers that are over 100 chars in length
> #these are impossible in the wild
> .{100,}                        Virus-Date:                MIME Header
Buffer Overflow
> .{100,}                        Virus-Mime-Version:        MIME Header
Buffer Overflow
> .{100,}                        Virus-Resent-Date:        MIME Header
Buffer Overflow
> #
> #Let's stop that nasty BadTrans virus from uploading your keystrokes...
>
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
atka.net|[EMAIL PROTECTED]
>        Virus-To:        BadTrans
> Trojan exploit!
>
> #
> # These are examples of prudent defaults to set for most sites.
> # Commented out by default
> .vbs        0        VBS files not allowed per Company security policy
> .lnk        0        LNK files not allowed per Company security policy
> .scr        0        SCR files not allowed per Company security policy
> .wsh        0        WSH files not allowed per Company security policy
> .hta        0        HTA files not allowed per Company security policy
> .pif        0        PIF files not allowed per Company security policy
> [snip]
>
>
> And here is the blocked message I receive:
>
> [message]
> A Disallowed attachment type was found in an Email message you sent.
> This Email scanner intercepted it and stopped the entire message
> reaching its destination.
>
> The Disallowed attachment type was reported to be:
>
> Executable attachment too large
>
> ...
> ---perlscanner results ---
> Disallowed attachment type 'Executable attachment too large' found in file
> /var/spool/qmailscan/redhat.vipersystems.biz106285886642662617/25k9240.exe
> [message]
>
> I thought the 0 meant the message could be any size and this file was only
like
> 460KB and it was in a zip file.
> Any help would be appreciated.
>
> --
> Jason
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to