Bug in filename rules handling?
Julian Field
mailscanner at ecs.soton.ac.uk
Tue Mar 11 12:25:49 GMT 2003
At 11:57 11/03/2003, you wrote:
>Thanks for checking!
>
>Is the error in the filename.rules.conf or in the MailScanner code? I have
>my own even more strict filename rules in place.
In the mailscanner code.
>Thanks!!
>
>Remco
>
>On Tue, 11 Mar 2003, Julian Field wrote:
>
> > In the process of adding all the code to support proper checking of
> > long/evil filenames, I screwed up.
> >
> > Please can you download and try out version 4.14-1, and let me know how you
> > get on.
> > URL's are
> >
> > Tar distribution:
> >
> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/tar/MailScanner-4.13-3.tar
> >
> > RedHat (and others) RPM:
> >
> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.13-3.rpm.tar
> >
> > SuSE:
> >
> http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/suse/MailScanner-4.13-3.suse.tar
> >
> > At 11:09 11/03/2003, you wrote:
> > >I have it set to yes but this has not changed the behaviour of MailScanner
> > >before. I think all files in the filename.rules.conf are treated equal?
> > >
> > >I would not like to be in a situation where somenewvirus.doc.scr would be
> > >allowed through because the latest virus definition couldn't recognize the
> > >virus and the attachment would then be passed on as 'safe'.
> > >
> > >Also the attachment wasn't replaced with the VirusWarning.txt!
> > >
> > >On Tue, 11 Mar 2003, Craig Pratt wrote:
> > >
> > > > How about the "Deliver Disinfected Files" option? Wouldn't that produce
> > > > the behavior you're seeing?
> > > >
> > > > # Should I attempt to disinfect infected attachments and then deliver
> > > > # the clean ones. "Disinfection" involves removing viruses from files
> > > > # (such as removing macro viruses from documents). "Cleaning" is the
> > > > # replacement of infected attachments with "VirusWarning.txt" text
> > > > # attachments.
> > > > # This can also be the filename of a ruleset.
> > > > Deliver Disinfected Files = yes
> > > >
> > > > On Tuesday, March 11, 2003, at 12:36 AM, Remco Barendse wrote:
> > > > > Yes the headers were added as they should and the header also said
> > > > > 'found
> > > > > to be infected'
> > > > >
> > > > > Everything seems to be OK but the attachment was not removed and the
> > > > > VirusWarning was not inserted in the message as it should nor was it
> > > > > sent
> > > > > as an attachment.
> > > > >
> > > > > On Tue, 11 Mar 2003, Craig Pratt wrote:
> > > > >
> > > > >> Have any of the "X-MailScanner" headers been added to the message?
> > > > >>
> > > > >> If not, this might mean that MailScanner is not actually the one
> > > > >> delivering the message. Is it possible that sendmail is running
> behind
> > > > >> MS's back?
> > > > >>
> > > > >> Craig
> > > > >>
> > > > >> On Tuesday, March 11, 2003, at 12:01 AM, Remco Barendse wrote:
> > > > >>> This morning we have received a message with filename extension
> > > > >>> hiding.
> > > > >>> The attachment is named ACN.DOC.xls.doc
> > > > >>>
> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: New Batch: Scanning 1
> > > > >>> messages, 38249 bytes
> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Virus and Content
> Scanning:
> > > > >>> Starting
> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Filename Checks: Found
> > > > >>> possible filename hiding (ACN.DOC.xls.doc)
> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Other Checks: Found 1
> > > > >>> problems
> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Saved entire message to
> > > > >>> /var/spool/MailScanner/quarantine/20030310/h2AGcBSh018875
> > > > >>> Mar 10 17:38:12 linux MailScanner[17336]: Cleaned: Delivered 1
> > > > >>> cleaned
> > > > >>> messages
> > > > >>>
> > > > >>> Although a notification was sent to postmaster that a virus had
> been
> > > > >>> caught, and the message subject was correctly modified and
> there was
> > > > >>> a
> > > > >>> notification inside the message to look inside VirusWarning.txt
> > > > >>> things
> > > > >>> didn't work.
> > > > >>>
> > > > >>> The attachment was let through 'as-is' without renaming or without
> > > > >>> removing it. Furthermore there was no VirusWarning.txt attached to
> > > > >>> the
> > > > >>> mail message although the body of the message referred to it. I
> have
> > > > >>> set
> > > > >>> however that warnings should *not* be sent as an attachment so
> maybe
> > > > >>> this
> > > > >>> is another bug?
> > > > >>>
> > > > >>> Things worked fine with the 4.12 release, this was found on release
> > > > >>> 4.13-3
> > > > >>>
> > > > >>> The message went through our Exchange server and because of a
> forward
> > > > >>> rule
> > > > >>> the message was sent outside again. Again MailScanner reported the
> > > > >>> problem
> > > > >>> but did not remove the attachment!
> > > > >>>
> > > > >>>
> > > > >>> --
> > > > >>> This message has been scanned for viruses and
> > > > >>> dangerous content by MailScanner, and is
> > > > >>> believed to be clean.
> > > > >>>
> > > > >> Craig Pratt
> > > > >> Strongbox Network Services Inc.
> > > > >> mailto:craig at strong-box.net
> > > > >>
> > > > >>
> > > > >> --
> > > > >> This message checked for dangerous content by MailScanner on
> > > > >> StrongBox.
> > > > >>
> > > > >
> > > > >
> > > > > --
> > > > > This message has been scanned for viruses and
> > > > > dangerous content by MailScanner, and is
> > > > > believed to be clean.
> > > > >
> > > > Craig Pratt
> > > > Strongbox Network Services Inc.
> > > > mailto:craig at strong-box.net
> > > >
> > > >
> > > > --
> > > > This message checked for dangerous content by MailScanner on StrongBox.
> > > >
> > >
> > >
> > >--
> > >This message has been scanned for viruses and
> > >dangerous content by MailScanner, and is
> > >believed to be clean.
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
> >
> >
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list