Bug in filename rules handling?

Julian Field mailscanner at ecs.soton.ac.uk
Tue Mar 11 11:29:00 GMT 2003 

In the process of adding all the code to support proper checking of
long/evil filenames, I screwed up.

Please can you download and try out version 4.14-1, and let me know how you
get on.
URL's are

Tar distribution:
http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar

RedHat (and others) RPM:
http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar

SuSE:
http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar

At 11:09 11/03/2003, you wrote:
>I have it set to yes but this has not changed the behaviour of MailScanner
>before. I think all files in the filename.rules.conf are treated equal?
>
>I would not like to be in a situation where somenewvirus.doc.scr would be
>allowed through because the latest virus definition couldn't recognize the
>virus and the attachment would then be passed on as 'safe'.
>
>Also the attachment wasn't replaced with the VirusWarning.txt!
>
>On Tue, 11 Mar 2003, Craig Pratt wrote:
>
> > How about the "Deliver Disinfected Files" option? Wouldn't that produce
> > the behavior you're seeing?
> >
> > # Should I attempt to disinfect infected attachments and then deliver
> > # the clean ones. "Disinfection" involves removing viruses from files
> > # (such as removing macro viruses from documents). "Cleaning" is the
> > # replacement of infected attachments with "VirusWarning.txt" text
> > # attachments.
> > # This can also be the filename of a ruleset.
> > Deliver Disinfected Files = yes
> >
> > On Tuesday, March 11, 2003, at 12:36  AM, Remco Barendse wrote:
> > > Yes the headers were added as they should and the header also said
> > > 'found
> > > to be infected'
> > >
> > > Everything seems to be OK but the attachment was not removed and the
> > > VirusWarning was not inserted in the message as it should nor was it
> > > sent
> > > as an attachment.
> > >
> > > On Tue, 11 Mar 2003, Craig Pratt wrote:
> > >
> > >> Have any of the "X-MailScanner" headers been added to the message?
> > >>
> > >> If not, this might mean that MailScanner is not actually the one
> > >> delivering the message. Is it possible that sendmail is running behind
> > >> MS's back?
> > >>
> > >> Craig
> > >>
> > >> On Tuesday, March 11, 2003, at 12:01  AM, Remco Barendse wrote:
> > >>> This morning we have received a message with filename extension
> > >>> hiding.
> > >>> The attachment is named ACN.DOC.xls.doc
> > >>>
> > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1
> > >>> messages, 38249 bytes
> > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning:
> > >>> Starting
> > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found
> > >>> possible filename hiding (ACN.DOC.xls.doc)
> > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1
> > >>> problems
> > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to
> > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875
> > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1
> > >>> cleaned
> > >>> messages
> > >>>
> > >>> Although a notification was sent to postmaster that a virus had been
> > >>> caught, and the message subject was correctly modified and there was
> > >>> a
> > >>> notification inside the message to look inside VirusWarning.txt
> > >>> things
> > >>> didn't work.
> > >>>
> > >>> The attachment was let through 'as-is' without renaming or without
> > >>> removing it. Furthermore there was no VirusWarning.txt attached to
> > >>> the
> > >>> mail message although the body of the message referred to it. I have
> > >>> set
> > >>> however that warnings should *not* be sent as an attachment so maybe
> > >>> this
> > >>> is another bug?
> > >>>
> > >>> Things worked fine with the 4.12 release, this was found on release
> > >>> 4.13-3
> > >>>
> > >>> The message went through our Exchange server and because of a forward
> > >>> rule
> > >>> the message was sent outside again. Again MailScanner reported the
> > >>> problem
> > >>> but did not remove the attachment!
> > >>>
> > >>>
> > >>> --
> > >>> This message has been scanned for viruses and
> > >>> dangerous content by MailScanner, and is
> > >>> believed to be clean.
> > >>>
> > >> Craig Pratt
> > >> Strongbox Network Services Inc.
> > >> mailto:craig at strong-box.net
> > >>
> > >>
> > >> --
> > >> This message checked for dangerous content by MailScanner on
> > >> StrongBox.
> > >>
> > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > Craig Pratt
> > Strongbox Network Services Inc.
> > mailto:craig at strong-box.net
> >
> >
> > --
> > This message checked for dangerous content by MailScanner on StrongBox.
> >
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list