[Mimedefang] How to discard mail silently when it contains bad attachments

[Kelson Vibber]

At 10:07 AM 8/26/2003, wrolf.courtney at donovandata.com wrote:
>You may want to put the following in /etc/mail/mimedefang-filter in filter:
>
>     if (filter_bad_filename($entity)) {
>         md_graphdefang_log('bad_filename', $fname, $type);
>         return action_discard();
>     }
>
>Immediately before "#Virus scan".
>
>This way you will throw out the Sobig etc. viruses before having to run
>your virus scanner.

And a lot of other stuff besides.

IMO, it's irresponsible to silently discard anything unless you *know* it 
is not legitimate mail.  The one exception would be if you are only 
filtering mail for yourself, in which case I still think it's ill-advised.

Example: someone sends a business inquiry and attaches a vcard.  With the 
default filter, if the vCard filename includes the email address and the 
domain is a .com - say "My Name (here at there.com).vcf" - it will trigger 
filter_bad_filename.  Your server discards the message, but they never get 
a bounce notice, and of course they never hear back from you.  If you're 
lucky, they'll try to reach you by phone.  If you're not lucky, they'll 
figure "Well, these people have never responded to a single one of my 
emails, I guess I'll take my business elsewhere."  If they get a bounce 
notice, at least they'll know you didn't get the message.

Remember, the rule for filter_bad_filename is overkill.  It hits anything 
that *can* be malicious, not just things that *are* - and you should never 
discard legitimate mail without notifying *someone.*

In this case, I think it's worth the extra processing to run the virus 
scanner or at least check for specific file types, rather than discarding 
everything.


Kelson Vibber
SpeedGate Communications <www.speed.net>