indeed, but seems the filter is looking for .com anywhere in the filename string, rather than at the end... I say bad design.
in DMARC filenames end up with .xml, .zip or .gzip On Tue, Aug 25, 2015 at 11:05 AM, Dave Warren via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > On 2015-08-25 09:56, John Levine via dmarc-discuss wrote: > >> As is standard settings in lot of AV mailscanners to not allow >>> attachments as example with a .com in it. >>> Therefore it is not a good idea that google is sending attachments DMARC >>> with these filename !google.com!domain.comgjdsadg6777.zip bacause of >>> the .com names in it these are rejected in lot of AVscanners standard >>> server settings for them, see also directadmin forum for that rejects >>> frozen mail queu and so on. >>> Please dont put a dotcom in the filenames attachment. >>> >> The format of DMARC reports has been unchanged for several years, and >> there is software that expects the filenames the way they are now. >> >> Honestly, any AV scanner that depends on the filename is pretty >> useless, since malware can and does trivially avoid it by using a >> different name. I'd suggest first arranging to send your DMARC >> reports to an address with no content filters so your automated >> anaylsis software can handle it, and look for more modern AV software. >> > > > I'd disagree about content filtering completely. There are some file > extensions that are inherently dangerous in the Windows world and .COM is > one of them. .COM is possibly the worst of the lot because of the one-two > punch that users don't associate it with executable code (it's only > supported for legacy reasons), and because users do associate it with the > web in general. It's half a technical attack and half a social attack, so > no, malware cannot simply use a different name to get the same result. > > Malware detection and blocking is really more of an art than a science, > but looking for suspicious names is actually one of the things that has > stood the test of time vs many other techniques simply because there is a > limited set of extensions that are treated as executable code by Windows, > and there are very few cases when sending executable code by email is a > good idea. > > At the same time, I'd expect someone at the postmaster level to be able to > configure exceptions so that they can receive abuse reports at appropriate > abuse@ and postmaster@ addresses which may include "bad" content of a > variety of types, and similarly, I'd expect DMARC addresses to be treated > similarly, so even if globally changing the filenames were possible, I > wouldn't actually recommend doing it. > > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
