On Wed, May 15, 2002 at 11:34:28AM +1000, Brian May wrote: > > Frankly, it would be good if someone would add to the useful procmail > > recipes a filter to remove any executable attachments from an email > > outright or mark them as spam or delete them or something. NOBODY should > > be emailing an executable. A zip maybe, an image okay. An executable, > > particularly a win32 executable is almost guaranteed to be a virus. > > This is a FAQ for amavis, on why amavis doesn't support this. > > While I don't agree with their reasoning, they say it gives a false > sense of security because it is too easy to hide a virus inside a virus > with the wrong MIME type or wrong extension (eg *.doc), and have it > still execute on a broken Windows machine. I agree with them. The check should be on file signature, not file extension name. The difference is that one relies on certain bugs in Microsoft software to not exist - as klez has shown is to not be the case for many users. The other scans all attachments for executable content, regardless of the filename. While not always desirable to reject such messages, it is at least worthwhile to tag them as suspect and probably either spam or a virus (or both..) If amavis does not provide this functionality, then I shall seek it elsewhere. Perhaps that exim filter will do as I need; certainly I can rewrite the filter in question for use with postfix in perl or python if it does. > Personally, I think any file that ends in extensions like *.exe, *.bat, > *.com, *.scr (and maybe even *.doc; but some people do send/receive > these files) are very suspicious, and even if you know the sender, the > chance exists that the files could have been tampered with (unless the > message is digitally signed with a known signature). Microsoft Windows has _THIRTY-SEVEN_ different executable extensions which are known to be run automatically by the OS, regardless of bugs in the various software. Relying on the name of the file is as pointless in Win32 as it is in various flavors of UNIX. Scan by file signature, not name. -- Joseph Carter <knghtbrd@bluecherry.net> If this sig were funny... * Culus thinks we should go to trade shows and see how many people we can kill by throwing debian cds at them
Attachment:
pgpNT87AQwFYb.pgp
Description: PGP signature