Thanks for your response, Scott.
Your remarks about the variability in headers for Uuencode attachments are
correct and appreciated. An improved set of rules, as you suggested, would
be:
B~(name=".*\pvbs|name=".*\pshs|name=".*\pscr):quarantine
(For MIME attachments) and
B~(Begin 6.*\pvbs|Begin 6.*\pshs|Begin 6.*\pscr):quarantine
(FOr Uuencoded attachments)
filtering attachments of types common in viruses/worms,
vbs - Visual Basic Script
shs - Scrap Objects and
scr - Screensaver
However the key point of my query remains unanswered:
Is it true that IMail Global rules (filters) check only the first 25K to
30K of a message? If this is true, then any and all rules may be
circumvented by inserting 30K of text in front of a virus-laden payload.
Secondarily, I think it worthwhile to mention that those who are depending
upon the Ipswitch Knowledgebase for Rules to filter virus attachments per
the recommendations of the following article
http://support.ipswitch.com/kb/IM-20000504-JK01.htm
are only filtering MIME and not Uuencoded attachments, hence my interest in
proposing a rule for Uuencode.
> Date: Sat, 17 Feb 2001 10:54:50 -0500
> From: "Scott Perry" <[EMAIL PROTECTED]>
> Subject: Re: [IMail Forum] Global rules filtering won't function
> with long files
> Reply-To: [EMAIL PROTECTED]
> >
> > Further testing seems to indicate that the rules will not work if
> > the filtered string occurs past a point about 25K - 30K into a
> > message (as was the case with this worm-laden Digest).
>
> Unfortunately, I can't comment on this, as I have done very
> little with filtering.
>
> I'm guessing you didn't get my last response, since it probably
> got filtered out on your end -- one of the drawbacks of filters!
> I'll try to work around your filter.
>
> > while the second rule filters Uuencoded attachments, characterized
> > by the string Begi*n 6nn (generally all sixes)
>
> FYI, I have just scanned a "Lost mail box" that we have (E-mail
> that comes in to one of our domains that is misaddressed), and
> out of 18 uuencoded attachments, the breakdown was as follows:
>
> be gin 600 - 12
> be gin 666 - 4
> be gin 640 - 2
>
> So, if all those attachments had been "bad" (ones that you were
> filtering), you only would have caught about 20% of them. If you
> use "be gin 6" (minus the extra space), you would catch all of
> them (although it's possible that some may be sent with a
> different number in the first position).
>
> Of course, 20 uuencoded attachments isn't enough to come to good
> conclusions. But, it at least shows that checking the 666 isn't
> as reliable as it could be.
>
>
> --
> -Scott
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
