Alex,

The rules are still not catching emails with certain attachments. I created
a rule like you said to block all emails with the extension of .pif yet they
are still getting through

Here is a snippet of the logic

IF message has an attachment
And parts header matches expression
....
name="?[^
]+.(?i)(pif)[^w]+
....
Then strip attachments
And
Add text to top

For some reason Ewall doesn't detect this as a message that meets this rule.
It should.

Any suggestions

- Steve

Received: from 126.com [61.163.246.145] (dave@126.com) by mailandnews.com;
Wed, 21 Apr 2004 11:54:59 -0400
From: dave@126.com
To: xxxxx@mailandnews.com
Subject: Mail Delivery System
Date: Wed, 21 Apr 2004 23:54:40 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_F29EE9C9.F93CEE54"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000_0008_F29EE9C9.F93CEE54
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0008_F29EE9C9.F93CEE54
Content-Type: application/octet-stream;
name="readme.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="readme.pif"

Steve,

Please send me such message as atachment.

- Alex

I sent you a sample. - Steve

I didn't receive it. Please try sitemaster@gmx.at.

- Alex

Done

I originally sent it to sssolutions.net address.

- Steve

Did you get the sample?

Yes, and your regular expression caugth it.

- Alex

The rule says remove attachment if the expression is true, but the
attachment is still attached.

So if the expression caught it, the resulting task was not performed. The
attachment is still delivered to the end user. That is what we are trying to
prevent.

Here is the exact rule

[Block Attachments 2]
1
CATTA
CPRT00Hname="?[^
]+.(?i)(bat)[^w]+?Hname="?[^
]+.(?i)(com)[^w]+?
Hname="?[^
]+.(?i)(exe)[^w]+?Hname="?[^
]+.(?i)(hta)[^w]+?Hname=
"?[^
]+.(?i)(pif)[^w]+?Hname="?[^
]+.(?i)(scr)[^w]+?Hname="?[^
r
]+.(?i)(vbs)[^w]+?
ASRP
ATXTAWarning
that is blocked by the ShanjeMail/MailandNews.com mail server?as it
constituted a security hazard. ??The mail server blocks all files that end
in .bat, .com, .exe, .com, .scr, .pif, .hta, and .vbs.??If you require this
document, please contact the sender and arrange ?an alternate means of
receiving it such as sending the attachment as?a zip file.??Below is the
original text
message.??


Yet with this rule, files with the PIF extension are routinely delivered. By
our estimation, over 1,000 PIF files each day get past this filter.

How do we create a rule that will not allow ANY .pif files to be passed
through Ewall?

Cheers!

- Steve

The fix is available with EW2.

- Alex

Alex,

I am using EW2 126b. I had this same problem with EW1 but I waited until I
could test with EW2 before I posted this problem again.

- Steve

What logs show? The attachment not found or found but not stripped?

- Alex

The logs are in the hundreds of megabytes each day so it is too hard to
check them

- Steve

You can send it at some original address, then open log and find it.

- Alex

It takes notepad 20 to 30 minutes to open the log file and then the machine
is so low on memory, you can't actually do a search to find an entry. If I
turn the logging on, it will run for 400MB to 1.2GB every single day. That
is a single log file.

I have updated to the latest beta and we are still having problems where
rules are not catching attachments that should be blocked. We still see
chronic cases of attachments with .scr getting through. That extension
should never be allowed through. But we can't seem to create an effective
rule that will actually block an attachment.

Alex, we first described this problem with 1.x. You said to wait for 2.x and
test again. We have tested it with several problems with 2.x beta and the
problems still exists.

We could really use some help getting eWall to block certain attachments
100% of the time.

Cheers!

- Steve

Can you purge logs and send test message?

- Alex

I have tried that. When I send a test message, the attachment is
successfully blocked. But when I check my email accounts, I see hundreds of
messages that should have been blocked, but weren't.

I wish there was a marker that ewall would insert into the mail header, like
spamassassin does so I can see what rule was fired and if ewall even read
through the email.

It would really help if there would be a way to disable ALL logging, even in
minimum mode there are 10's if not hundreds of megabytes per day in the log.
Then in Ewall, there should be a debug logging option where in the rule you
could say LOG DEBUG INFO to log. Or have a rule that will log debug info to
a separate debug.log file. Then in the rule, dump out the results that ewall
thinks it is seeing and what actions it took.

That would help track down a lot of these problems and help folks test and
debug rules and scripts.

- Steve

I think your atachment filter is overlapping with something else, so only
logs will show the real problem. Why don't add the extra field to the
message with stripped attachment?

- Alex

I have tried that, there is nothing in the header, which leas me to believe
that ewall never even processed the message. Why ewall seems to skip some
messages is baffling me. I wonder if it is a load problem. We often times
have over 50,000 connections per hour. I wonder under that load does ewall
someone how 'miss' messages.

- Steve

I still think that filters are overlapping.

- Alex

How can I send you my entire list of filters?

- Steve

Pack "Filters" dir and send at sitemaster@gmx.at

- Alex