Virus Checking and Spam Tagging

We currently run MailScanner/Spam Assassin to scan all incoming email for viruses and spam.:

The MailScanner setup blocks the delivery of e-mail messages with viral payloads, attachments containing certain proscribed file types and attachments with certain proscribed filename extensions. Also, each e-mail message is processed by SpamAssassin and, depending on the total score assigned, is handled accordingly. The prefix {Spam?} is added to the contents of the Subject: header line of mail that has a probabilityof being spam, and mail that has a high certainty of being spam is deleted without being delivered.

The prefix {Disarmed} is added to the contents of the Subject header line of mail that in which MailScanner has disarmed' certain HTML tags. The tags that are impacted are tags and tags that are thought to be WebBugs. WebBugs are very small images used to track whether a messages has been read and IFrames allow various Microsoft Outlook security vulnerabilities to remain unprotected (but are commonly used in Mailing Lists).

Below is the list of the filename and filetype rules that are filtered out due to possible virus infection:

Filename rules:
Files with very long filenames (over 150 characters)
Filenames that contains lots of whitespace (over 10 characters in a row)
Filenames trying to hide its real extension by adding a CLSID (e.g. {testhta.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B})

pretty park.exe "Pretty Park" virus
happy99.exe "Happy" virus
webpage.rar I-Worm.Yanker virus attachment

*.ani	Possible buffer overflow in Windows (Windows animated cursor file)
*.bat,	Possible malicious batch file script
*.bmp	Possible buffer overflow in Windows (Windows bitmap file)
*.ceo	WinEvar virus attachment
*.chm	Possible compiled Help file-based virus
*.cmd	Possible malicious batch file script
*.cnf	Possible SpeedDial attack
*.com	Windows/DOS Executable
*.cpl	Possible malicious control panel item
*.cur	Possible buffer overflow in Windows (Windows cursor file)
*.exe	Windows/DOS Executable
*.hlp	Possible buffer overflow in Windows (Windows help file)
*.hta	Possible Microsoft HTML archive attack
*.ico	Possible buffer overflow in Windows (Windows icon file)
*.ins	Possible Microsoft Internet Comm. Settings attack
*.its	Dangerous Internet Document Set (according to Microsoft Q883260)
*.job	Possible Microsoft Task Scheduler attack
*.jse	Possible Microsoft JScript attack
*.lnk	Possible Eudora *.lnk security hole attack
.mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mav, .maw	Possible Microsoft Access Shortcut attack
*.mau	Dangerous attachment type (according to Microsoft Q883260)
.mda, .mdz	Dangerous attachment type (according to Microsoft Q883260)
*.mhtml	Possible Eudora meta-refresh attack
*.pif	Possible MS-Dos program shortcut attack
*.prf	Dangerous Outlook Profile Settings (according to Microsoft Q883260)
*.pst	Dangerous Office Data File (according to Microsoft Q883260)
*.reg	Possible Windows registry attack
*.scf	Possible Windows Explorer Command attack
*.sct	Possible Microsoft Windows Script Component attack
*.shb	Possible document shortcut attack
*.shs	Possible Shell Scrap Object attack
*.scr	Possible virus hidden in a screensaver
*.tmp	Dangerous Temporary File (according to Microsoft Q883260)
.vbe, .vbs	Possible Microsoft Visual Basic script attack
*.vsmacros	Dangerous Visual Studio Macros (according to Microsoft Q883260)
.vss, .vst, *.vsw	Dangerous attachment type (according to Microsoft Q883260)

*.ws	Dangerous Windows Script (according to Microsoft Q883260)
.wsc, .wsf, *.wsh	Possible Microsoft Windows Script Host attack
*.xnk	Possible Microsoft Exchange Shortcut attack

File type rules:
self-extract -- No self-extracting archives
ELF -- No executables
executable -- No executables
MPEG -- No MPEG movies
AVI -- No AVI movies
MNG -- No MNG/PNG movies
QuickTime -- No QuickTime movies
Registry -- No Windows Registry entries

** Please keep your anti-virus software updated. The MailScanner should not be used as the sole means of blocking computer viruses on your computer.

Knowledge Base

Categories

Categories

Related Articles

Support