RE: [Qmail-scanner-general]False positives on some (Mac?) MIME attachments

[Beast <bu...@ir...>]

&  From: Jason Haar [mailto:Jas...@tr...]
&
&  On Thu, Feb 22, 2001 at 01:44:33PM -0500, Greg Owen wrote:
&  > I have qmail-scanner configured to block .com attachments,
&  and have had 4
&  > false positives over the last week.  I believe all cases
&  had the following
&  > in common:
&  >
&  > 1) The email originated on a Mac, and used MIME-encoding
&  > 2) The email had a Text MIME portion and an attached document
&  > 3) The word 'com' showed up either in the Text portion or
&  in the base64
&  > encoded text, thus triggering the quarantine.
&  >
&  > I can provide an example of an email that triggered the
&  quarantine upon
&  > request.
&  >
&  > The following line in quarantine-attachments.txt is what
&  is 'hitting':
&  >
&  > .com                    0       Executable attachment (.com)
&  >
&  >     Is this something that anyone has seen?  Is there a known fix?
&
&  Sorry - you got what you paid for. Blocking by attachment
&  filename means it
&  does exactly what it's doing. If some systems generate *.com
&  filenames when
&  they're not .com files - then there's nothing that can be
&  done about it...

Yes you're corect, but IMO in this case the attachment isn't *.com, rather
 "The word 'com' showed up either in the Text portion or in the base64 up in
portion or in the base64 ", so the file extention doesn't need to be
'somefile.com' but 'configure com port.txt'.
Qscan should compare only extention or use some magic number/signature to
recognize the file format instead of just file extetion. Most of (windows
comercial) content filtering use this techniques.
Pls cmiiw.

&
&  This problem affects all extension-based blocking -
&  commercial or not :-)
&
&  The only "fix" would be to get the Mac users to use a
&  different mailer
&  (yeah, right ;-)
&
&
&  --
&  Cheers
&
&  Jason Haar
&
&  Unix/Special Projects, Trimble NZ
&  Phone: +64 3 9635 377 Fax: +64 3 9635 417
&