Re: Re: Anybody Recognize These Uploads?

[Christopher Hicks <chicks () chicks net>]

On Sun, 5 Jan 2003, Paul D. Robertson wrote:
> On Sun, 5 Jan 2003, Christopher Hicks wrote:
> > > Not really, most of the common executable types can be filtered without
> > > worrying about signatures.  If you're allowing unzipped executables in,
> > > you probably need your head examined at this point in time for anything
> > > that's not a pure Linux shop, and even then, wine's getting a bit too
> > > good...  If you're allowing .[something] and .[somethingelse], well...
> >
> > True enough.  We have been using MailScanner ( www.mailscanner.info ) for
> > virus checking and spam checking, but it filters on configurable
> > extensions as well.  It comes with a reasonable set of defaults that
> > includes the above.  I can see that most would differentiate virus
> > checking and extention filtering, but for me they all came in the same
> > ball of wax.
>
> Interestingly, one site has bounced this thread based on the occurance of 
> .[somethingelse] in the text.  The biggest problem I have with content 
> filters is that they really need to be smarter, or there needs to be more 
> care in their setup.  If there was a new way to sneak .[somethingelse] 
> through a filter, at least one company wouldn't ever get notifified of it.
>
> I really prefer the "quarentine and let the user come get it" approach for 
> keyword filtering- with an admin option to make the quarentine off-limits 
> based on a high percentage of quarentines over time, or other criteria.

That's why I don't filter!  I know this is turning into a MailScanner
advert, but this hits the big reason we went with it initially.  It tags
spam and lets the user decide whether to delete it or not.  It can be
configured to bounce spam, but given the diverse population my servers
provide mail service for that'd be a nightmare. I do let it filter out the
viruses and dangerous attachments into a quarantine by default, but
content-filtering is only done to advise the end user.  If the user wants
to delete the mails that have {Spam?} in the subject or look at the
SpamAssassin score (which we provided in the headers) to decide if it's
high enough to put in their own personal quarantine, that's fine.  We've
had to whitelist various sources of content that SpamAssassin thought
sounded like spam and we've had to let a few users get dangerous
attachments, but otherwise it's taken care of itself.  Happily, letting
people have the option of deleting the spam with their own filters has
left me with very few who are still on dial-up that ask me to delete it
for them.  Those folks have to sign a liability waiver before I will
though.  :)

-- 
</chris>

  I would not, could not SAVE ON PHONE,
  I would not, could not BUY YOUR LOAN,
  I would not, could not MAKE MONEY FAST,       (by
  I would not, could not SEND NO CA$H,            Matthew
  I would not, could not SEE YOUR SITE,             Kennel)
  I would not, could not EAT VEG-I-MITE,
  I do *not* *like* GREEN CARDS AND SPAM! Mad-I-Am!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards