On Tue, Nov 09, 2004 at 09:33:08AM -0500, David F. Skoll wrote: > > I need something because mgmt is likely to tell me just not to block > > and I would like to have some valid reasons as to why they are being > > blocked. > > Tell mgmt that if they permit message/partial, they might as well throw > away server-side scanning and turn off their anti-virus software.
Also, there's a call from US-CERT (http://www.kb.cert.org/vuls/id/836088) to block message/partial specifically because it can circumvent virus scanning. And while that's true in theory, there is currently no known virus (afaik) that exploits a MIME message/partial to evade virus scanners. (Lots of viruses have fake texts that say "partial message is available" or something similar, but that's not the same, obviously). Also, I believe you are reasonably safe as long as you force the first part of the message/partial to be "big enough". Say, 1MB or larger. This does provide a few theoretical openings for a virus to slip through (eg, sending a large enough zip file, so with the end of the zipfile missing, it cannot be easily extracted). However, if you know that internally you are also running virus scanners on the desktop (and you should do that anyway!), then the virusscanner might not be 99.99% reliable anymore, but at least it stops the bulk of the useless email garbage consisting of unwanted executables. -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
