Re: [Exim] Re: fragmented ?

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Leonardo Boselli, exim-users
Subject: Re: [Exim] Re: fragmented ?
Leonardo Boselli wrote:
> OK ... but i think it should not be used since based only on partial
> message one cannot be sure that teh content is malicious. One should
> accept, store and block only when enought code is arrived to trigger
> the virus, but I think it would be a bit difficult. But then one if
> it is so paranoid, should also take in consideration that message
> (outlook traps) that have inside them an url pointing to an object
> that is an executable not being a virus, but just a program
> containing a *PG* key and istructions to search for an encrypted
> message (for example the background image of the message itself),
> that would not have triggered the antivirus by itself, and executes
> the decoded file ....


Message fragmenting is not really used by anyone (at least i don't know
a case where it is used).

But it CAN be used to bypass filters, and that's bad, sure we could save
single parts and wait until we've got all to regenerate the complete
message and check it with a virusscanner. But whats so bad about
rejecting the message with a failure and saying "We don't accept
fragmented messages". As long as you don't blackhole the message
everything is ok.

Other people reject messages just because they contain executeable
content and reply "Please zip the file" or something like that.

ciao