Re: [Exim] W32.Swen@MM (fwd)

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [Exim] W32.Swen@MM (fwd)
Beautiful! My own filter prevented this from getting to the list;
so here goes with minor censorship:

---------- message ----------

On Mon, 22 Sep 2003, Robert Kehl wrote:

> Block all .exe attachements.


It's easy to say that, but if you don't scan all of the content, you
aren't going to know that just beyond the end of the limit you set,
there was an exe attachment. On the other hand if you _do_ scan the
entire content, tens of MBytes or whatever, with the full strength of
your scanning recipes, you might run out of resources rather faster
than is considered acceptable (hi Chris ;-)

In fact one needs to block far more than mere "exe attachments", since
the wretched client software that we're trying to protect (for
whatever reason we do this - it really deserves to stew in its own
juice) has a track record of ignoring the authoritative content types
that it's given, looking inside the data, and making its own
determination.

Are you also unpacking all the text/plain content types and analysing
them for patterns like:

begin foo.e*e

[that's what I had to censor...]

If you aren't, then be sure that some of the clients assuredly *are*
doing so. Unless you have a far more draconian control over your
users than we have.

best regards

...and please, trim your contributions of extraneous quotage. The
list participants don't have to be told over and over again where to
find details of the exim list. The once-per-mail that the list server
provides per posting is ample, thanks.