Bug in filename rules handling?

Remco Barendse mailscanner at BARENDSE.TO
Tue Mar 11 11:57:00 GMT 2003


Thanks for checking!

Is the error in the filename.rules.conf or in the MailScanner code? I have
my own even more strict filename rules in place.

Thanks!!

Remco

On Tue, 11 Mar 2003, Julian Field wrote:

> In the process of adding all the code to support proper checking of
> long/evil filenames, I screwed up.
>
> Please can you download and try out version 4.14-1, and let me know how you
> get on.
> URL's are
>
> Tar distribution:
> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar
>
> RedHat (and others) RPM:
> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar
>
> SuSE:
> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar
>
> At 11:09 11/03/2003, you wrote:
> >I have it set to yes but this has not changed the behaviour of MailScanner
> >before. I think all files in the filename.rules.conf are treated equal?
> >
> >I would not like to be in a situation where somenewvirus.doc.scr would be
> >allowed through because the latest virus definition couldn't recognize the
> >virus and the attachment would then be passed on as 'safe'.
> >
> >Also the attachment wasn't replaced with the VirusWarning.txt!
> >
> >On Tue, 11 Mar 2003, Craig Pratt wrote:
> >
> > > How about the "Deliver Disinfected Files" option? Wouldn't that produce
> > > the behavior you're seeing?
> > >
> > > # Should I attempt to disinfect infected attachments and then deliver
> > > # the clean ones. "Disinfection" involves removing viruses from files
> > > # (such as removing macro viruses from documents). "Cleaning" is the
> > > # replacement of infected attachments with "VirusWarning.txt" text
> > > # attachments.
> > > # This can also be the filename of a ruleset.
> > > Deliver Disinfected Files = yes
> > >
> > > On Tuesday, March 11, 2003, at 12:36  AM, Remco Barendse wrote:
> > > > Yes the headers were added as they should and the header also said
> > > > 'found
> > > > to be infected'
> > > >
> > > > Everything seems to be OK but the attachment was not removed and the
> > > > VirusWarning was not inserted in the message as it should nor was it
> > > > sent
> > > > as an attachment.
> > > >
> > > > On Tue, 11 Mar 2003, Craig Pratt wrote:
> > > >
> > > >> Have any of the "X-MailScanner" headers been added to the message?
> > > >>
> > > >> If not, this might mean that MailScanner is not actually the one
> > > >> delivering the message. Is it possible that sendmail is running behind
> > > >> MS's back?
> > > >>
> > > >> Craig
> > > >>
> > > >> On Tuesday, March 11, 2003, at 12:01  AM, Remco Barendse wrote:
> > > >>> This morning we have received a message with filename extension
> > > >>> hiding.
> > > >>> The attachment is named ACN.DOC.xls.doc
> > > >>>
> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1
> > > >>> messages, 38249 bytes
> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content Scanning:
> > > >>> Starting
> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found
> > > >>> possible filename hiding (ACN.DOC.xls.doc)
> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1
> > > >>> problems
> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to
> > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875
> > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1
> > > >>> cleaned
> > > >>> messages
> > > >>>
> > > >>> Although a notification was sent to postmaster that a virus had been
> > > >>> caught, and the message subject was correctly modified and there was
> > > >>> a
> > > >>> notification inside the message to look inside VirusWarning.txt
> > > >>> things
> > > >>> didn't work.
> > > >>>
> > > >>> The attachment was let through 'as-is' without renaming or without
> > > >>> removing it. Furthermore there was no VirusWarning.txt attached to
> > > >>> the
> > > >>> mail message although the body of the message referred to it. I have
> > > >>> set
> > > >>> however that warnings should *not* be sent as an attachment so maybe
> > > >>> this
> > > >>> is another bug?
> > > >>>
> > > >>> Things worked fine with the 4.12 release, this was found on release
> > > >>> 4.13-3
> > > >>>
> > > >>> The message went through our Exchange server and because of a forward
> > > >>> rule
> > > >>> the message was sent outside again. Again MailScanner reported the
> > > >>> problem
> > > >>> but did not remove the attachment!
> > > >>>
> > > >>>
> > > >>> --
> > > >>> This message has been scanned for viruses and
> > > >>> dangerous content by MailScanner, and is
> > > >>> believed to be clean.
> > > >>>
> > > >> Craig Pratt
> > > >> Strongbox Network Services Inc.
> > > >> mailto:craig at strong-box.net
> > > >>
> > > >>
> > > >> --
> > > >> This message checked for dangerous content by MailScanner on
> > > >> StrongBox.
> > > >>
> > > >
> > > >
> > > > --
> > > > This message has been scanned for viruses and
> > > > dangerous content by MailScanner, and is
> > > > believed to be clean.
> > > >
> > > Craig Pratt
> > > Strongbox Network Services Inc.
> > > mailto:craig at strong-box.net
> > >
> > >
> > > --
> > > This message checked for dangerous content by MailScanner on StrongBox.
> > >
> >
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content by MailScanner, and is
> >believed to be clean.
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list