[Mimedefang] How to discard mail silently when it contains bad attachments
Kelson Vibber
kelson at speed.net
Tue Aug 26 14:03:01 EDT 2003
At 10:07 AM 8/26/2003, wrolf.courtney at donovandata.com wrote:
>You may want to put the following in /etc/mail/mimedefang-filter in filter:
>
> if (filter_bad_filename($entity)) {
> md_graphdefang_log('bad_filename', $fname, $type);
> return action_discard();
> }
>
>Immediately before "#Virus scan".
>
>This way you will throw out the Sobig etc. viruses before having to run
>your virus scanner.
And a lot of other stuff besides.
IMO, it's irresponsible to silently discard anything unless you *know* it
is not legitimate mail. The one exception would be if you are only
filtering mail for yourself, in which case I still think it's ill-advised.
Example: someone sends a business inquiry and attaches a vcard. With the
default filter, if the vCard filename includes the email address and the
domain is a .com - say "My Name (here at there.com).vcf" - it will trigger
filter_bad_filename. Your server discards the message, but they never get
a bounce notice, and of course they never hear back from you. If you're
lucky, they'll try to reach you by phone. If you're not lucky, they'll
figure "Well, these people have never responded to a single one of my
emails, I guess I'll take my business elsewhere." If they get a bounce
notice, at least they'll know you didn't get the message.
Remember, the rule for filter_bad_filename is overkill. It hits anything
that *can* be malicious, not just things that *are* - and you should never
discard legitimate mail without notifying *someone.*
In this case, I think it's worth the extra processing to run the virus
scanner or at least check for specific file types, rather than discarding
everything.
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list