Re: [Exim] Bugbear/B filtration

Top Page
Delete this message
Reply to this message
Author: Mike Richardson
Date:  
To: Dan Egli
CC: Exim users list
Subject: Re: [Exim] Bugbear/B filtration
> I suppose that this would be true. I suppose there is no harm in erring
> on the side of caution. But it does make things extreemly difficult at
> times for more advanced users who are trying to make a legitimate
> mailing of an executable file. OR a screen saver. I mailed some screen
> savers to a friend the other day (.scr extension on all of them).


I'm with Alan on this. We use AV, demime and extension filtering. The
AV stuff is very good and gets most of the viruses but even a 1%
failure rate could be distasterous when we handle a million mails a
week and the AV software catches up to 7000 virus emails a day.

We're slowly adding extension which we block on to make sure that security
and convenience have an acceptable balance. So far no one has complained
about exe, com, vbs and pif. This is likely to be extended (pun intended)
to scr soon.

> |>Mcafee identified it as "an unknown virus or trojan".
> |
> |
> | Fine, but are you going to rely on that alone to protect your naive
> | users?
> |
>
> Actually, on anyone I know who connects to my mail server, I also
> STRONLGY insist that they have virus protection on the PC itself. For
> example, I have Norton AntiVirus on this box I'm tryping on. It works
> great as a 2nd line of defence. I suppose it's not soo bad if it's only


We also strongly encourage uses to have desktop AV - and we supply it for
free to staff and students. However they aren't good at keeping them
up-to-date.

> Well in this case I could not send zip very easily. I don't HAVE WinZip
> or anything of the like installed. I have WinRAR. It compresses MUCH
> tighter. I did a test compression once a while back, and given the same
> 10MB directory of mixed content (EXEs, TXT files, BMPs, etc...), I got a
> whopping 23% better compression with a solid RAR than with a zip file.
> Now considering that I am oft times connecting to a dialup, every KB
> that I can shave off a file means reduced transfer times. The file was
> 2MB+ as it was.


My response is likely to be slightly more ruthless than most. Don't
email them then. FTP, scp, HTTP, SMB, NFS, Kazaa, whatever.. are orders
of magnitude more efficient for shifting large files than SMTP. None
of them are likely to suffer the same problems of filtering and you
don't need to zip them up.

Mail admins are fighting a constant battle to protect ungrateful,
naive, arrogant, demanding and often stupid (I'm thinking about my
own userbase here - its not a personal comment) against their own and
their software's shortcomings. However without bloody Windows the
scale of this problem would mean that many fewer precautions would be
necessary so I'm afraid that, at least for me, the odd complaint from
someone being inconvenienced by not being able to mail something in
one of the many easily abusable file formats will be filed in the
'Casualty of War' bin.

(insert punctuation where necessary)

I get the feeling that at sometime in the future I'm going to have
to float the 'block all attachments on incoming mail' plan. I'm sure
other places do it.

Mike

--
-----Plain text only please - attachments stripped on arrival.------
Copyright 2003       Mike Richardson, Room G98, Manchester Computing
University of Manchester, M13 9PL     doctor@???    Int: 56009
Left through main doors.         Right then left at end of corridor.
First door on left.   URL http://kira.mcc.ac.uk/  Ext: 0161 275 6009
--------------------------------------------------------------------
"If I want your opinion, I'll **** it out of you!" - Chuck Norris
"If anything happens to my daughter I have a ** and ******" Clueless