SeattleServer.com wrote:
> On Sunday 29 October 2006 05:36, Vitaly A Zakharov wrote:
>> Try to use a well-known construction, just above virus checking in Exim
>> configuration:
>>
>> acl_check_mime:
>>
>> warn decode = default
>> drop message = Blacklisted file extension detected.
>> condition = ${if
>> match{${lc:$mime_filename}}{\N(\.cpl|\.pif|\.bat|\.scr|\.lnk|\.com|\.hta)$\
>> N}{1}{0}}
>>
>> accept
>>
>> You would be surprised, the volume of viruses will decrease about a half.
>
> You would be surprised, the number of users who complain because these
> extensions (especially .lnk and .scr) are blocked.
>
> In fact it was such a common problem among our (mostly non-IT) users, that we
> ended up defaulting to NOT blocking executable extensions, though it can be
> turned on per-domain.
>
> I don't really like blocking simply on extension anyways - I ran into it
> myself when trying to E-mail an HTML file without an extension (it was named
> simply somedomain.com).
>
> Cheers,
We have two such rules - both with far more extensive lists, as we cover mostly
Mac and other 'non-MS' platforms. Both add 'points' and user prefs do
modification to 'Subject:' and quarantining.
- But the 'surprise' here is that they almost never triggered until recently.
Client branch offices that need to send photos and such are whitelisted and/or
trained to alter the file extent or encapsulate, and the villainous *were* being
stopped before they got as far as that.
That said, the recent rise in otherwise innocuous body with text-bearing graphic
attached says we need a server-global tightening up on a *combination* of
any-graphic + [stranger AND/OR rudebugger].
- Where 'stranger' is anyone we have never sent 'TO:', and 'rudebugger' is
weighted scores for failure on rDNS, HELO, dynamic-IP, RBL, header format
....... etc.
If we have to get into the insanity of CPU cycles needed for OCR inspection of
graphics, I'd call that a dead loss, strip the dodgy attachments, and point the
user community back to their fax machines (color, for the most part) or FedEx.
:-(
Bill
