On 2015-08-25 09:56, John Levine via dmarc-discuss wrote:
As is standard settings in lot of AV mailscanners to not allow
attachments as example with a .com in it.
Therefore it is not a good idea that google is sending attachments DMARC
with these filename !google.com!domain.comgjdsadg6777.zip bacause of
the .com names in it these are rejected in lot of AVscanners standard
server settings for them, see also directadmin forum for that rejects
frozen mail queu and so on.
Please dont put a dotcom in the filenames attachment.
The format of DMARC reports has been unchanged for several years, and
there is software that expects the filenames the way they are now.
Honestly, any AV scanner that depends on the filename is pretty
useless, since malware can and does trivially avoid it by using a
different name. I'd suggest first arranging to send your DMARC
reports to an address with no content filters so your automated
anaylsis software can handle it, and look for more modern AV software.
I'd disagree about content filtering completely. There are some file
extensions that are inherently dangerous in the Windows world and .COM
is one of them. .COM is possibly the worst of the lot because of the
one-two punch that users don't associate it with executable code (it's
only supported for legacy reasons), and because users do associate it
with the web in general. It's half a technical attack and half a social
attack, so no, malware cannot simply use a different name to get the
same result.
Malware detection and blocking is really more of an art than a science,
but looking for suspicious names is actually one of the things that has
stood the test of time vs many other techniques simply because there is
a limited set of extensions that are treated as executable code by
Windows, and there are very few cases when sending executable code by
email is a good idea.
At the same time, I'd expect someone at the postmaster level to be able
to configure exceptions so that they can receive abuse reports at
appropriate abuse@ and postmaster@ addresses which may include "bad"
content of a variety of types, and similarly, I'd expect DMARC addresses
to be treated similarly, so even if globally changing the filenames were
possible, I wouldn't actually recommend doing it.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
