How about you don't just execute attachments sent to a reporting address? It's all meant to be processed programmatically based on its contents, not clicked on by a human in Windows 98. In 2015, virus filtering this feed is about as nonsensical as spam content filtering the abuse mailbox. Even if .com is "unsafe," that filter is still now out of date and needs an update or an exemption at this point.
On Tue, Aug 25, 2015 at 2:50 PM, Franck Martin via dmarc-discuss < [email protected]> wrote: > indeed, but seems the filter is looking for .com anywhere in the filename > string, rather than at the end... I say bad design. > > in DMARC filenames end up with .xml, .zip or .gzip > > On Tue, Aug 25, 2015 at 11:05 AM, Dave Warren via dmarc-discuss < > [email protected]> wrote: > >> On 2015-08-25 09:56, John Levine via dmarc-discuss wrote: >> >>> As is standard settings in lot of AV mailscanners to not allow >>>> attachments as example with a .com in it. >>>> Therefore it is not a good idea that google is sending attachments DMARC >>>> with these filename !google.com!domain.comgjdsadg6777.zip bacause of >>>> the .com names in it these are rejected in lot of AVscanners standard >>>> server settings for them, see also directadmin forum for that rejects >>>> frozen mail queu and so on. >>>> Please dont put a dotcom in the filenames attachment. >>>> >>> The format of DMARC reports has been unchanged for several years, and >>> there is software that expects the filenames the way they are now. >>> >>> Honestly, any AV scanner that depends on the filename is pretty >>> useless, since malware can and does trivially avoid it by using a >>> different name. I'd suggest first arranging to send your DMARC >>> reports to an address with no content filters so your automated >>> anaylsis software can handle it, and look for more modern AV software. >>> >> >> >> I'd disagree about content filtering completely. There are some file >> extensions that are inherently dangerous in the Windows world and .COM is >> one of them. .COM is possibly the worst of the lot because of the one-two >> punch that users don't associate it with executable code (it's only >> supported for legacy reasons), and because users do associate it with the >> web in general. It's half a technical attack and half a social attack, so >> no, malware cannot simply use a different name to get the same result. >> >> Malware detection and blocking is really more of an art than a science, >> but looking for suspicious names is actually one of the things that has >> stood the test of time vs many other techniques simply because there is a >> limited set of extensions that are treated as executable code by Windows, >> and there are very few cases when sending executable code by email is a >> good idea. >> >> At the same time, I'd expect someone at the postmaster level to be able >> to configure exceptions so that they can receive abuse reports at >> appropriate abuse@ and postmaster@ addresses which may include "bad" >> content of a variety of types, and similarly, I'd expect DMARC addresses to >> be treated similarly, so even if globally changing the filenames were >> possible, I wouldn't actually recommend doing it. >> >> -- >> Dave Warren >> http://www.hireahit.com/ >> http://ca.linkedin.com/in/davejwarren >> >> >> >> _______________________________________________ >> dmarc-discuss mailing list >> [email protected] >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > -- Al Iverson | Minneapolis, MN | (312) 725-0130 aliverson.com | spamresource.com | @aliverson
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
