Re: [Exim] W32.Swen@MM (fwd)

Góra strony
Delete this message
Reply to this message
Autor: Pat Lashley
Data:  
Dla: Alan J. Flavell, Exim users list
Temat: Re: [Exim] W32.Swen@MM (fwd)
--On Monday, September 22, 2003 00:08:08 +0100 "Alan J. Flavell"
<a.flavell@???> wrote:

> On Mon, 22 Sep 2003, Robert Kehl wrote:
>
>> Block all .exe attachements.
>
> It's easy to say that, but if you don't scan all of the content, you
> aren't going to know that just beyond the end of the limit you set,
> there was an exe attachment. On the other hand if you _do_ scan the
> entire content, tens of MBytes or whatever, with the full strength of
> your scanning recipes, you might run out of resources rather faster
> than is considered acceptable (hi Chris ;-)


That's why exiscan-acl's demime condition is so nice - scanning for
MIME boundaries is -much- faster than scanning for a bunch of arbitrary
regular expressions... (And it -does- check extensions, not just
Content-Type fields.)

> In fact one needs to block far more than mere "exe attachments", since
> the wretched client software that we're trying to protect (for
> whatever reason we do this - it really deserves to stew in its own
> juice) has a track record of ignoring the authoritative content types
> that it's given, looking inside the data, and making its own
> determination.


So are you saying that using exiscan-acl with a demime condition set to
block exe (and pif, scr, etc.) isn't good enough? This client software
can actually recognize a .exe embedded within text or another attachment?
If so, please let us know what client this is so that we can all avoid it.



-Pat