Re: Disabling everything except virus scanning?

From: Bjarni R. Einarsson (
Date: Tue 22 Oct 2002 - 10:48:26 GMT

  • Next message: Bjarni R. Einarsson: "Postfix-SA-Anomy-Maildrop doc suggestions."

    (Note: I moved this part of Robin's message to the top, in the hope
    that most of you would read it and stop complaining about the "blah
    .exe" problem. :-)

    On 2002-10-22, 11:13:00 (+1000), Robin Whittle wrote:
    > Also, I want to investigate and note something I wrote to
    > the bugs list about: what to the (potentially dumb) user seems to be
    > Anomy failing to recognise file names with spaces as being executable.
    > name=CODE .bat

    This has been reported at least five times to the list in the past
    few days - probably because Bugbear sends it's attachments like this.

    This is not valid MIME, but I'm looking into improving my parser to
    catch these files anyway... there should be a new release within the
    next few days which addresses this problem and a few others as well.

    > I have just started using Anomy and am finding it is attaching long logs
    > of changes to HTML messages when those messages are not, as far as I
    > know, a problem for me.

    The HTML defanger is very aggressive. It's modifications shouldn't
    (barring client-side HTML browser bugs) ever make the text of a message
    illegible, but it will break things like:

      - Embedded images (sometimes, not always)
      - Frames
      - Forms
      - Javascript
      - ActiveX and related technology
      - Refreshes

    The reason for this is simply that the above all rely on HTML "features"
    which can and have been abused to weaken security in the past.

    If this is too aggressive for you, just set feat_html to zero. :)

    > So I would be happy to use Anomy just for detecting virus emails - by
    > searching for any attached file which looks executable and then by
    > "dropping" it, which involves shortening it greatly and adding a
    > distinctive message which my Maildrop filtering can then find, to turf
    > the thing into the virus pit, whilst also sending a copy of it, tagged
    > for deletion and with "[VIRIII] added to the Subject line, to the Inbox.

    This appears to be an excellent document! I would like to link to it
    from the Anomy page, and possibly mirror it if you don't mind.

    > I will be updating this page in the next few days after some experience
    > with the new setup, and to include improvements suggested by

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send plenty of email to:

    hosted by