{File type?} Re: New user trying to understand mailscanner capab ilities to des ign solution
Dustin Baer
dustin.baer at IHS.COM
Tue Jul 6 18:19:08 IST 2004
Shoval Tomer wrote:
> Could you post your filetype.rules.conf file, please, or send it to me
> off list?
>
Here you go. It is the CLSID section that is blocking your
attachment...as Peter just mentioned on list.
Dustin
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------- next part --------------
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny, then regular expression, then log text, then user
# report text.
#
allow \.RG.*\$ - -
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
# These 4 are well known viruses.
deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
deny happy99\.exe$ "Happy" virus "Happy" virus
deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus
# These are known to be mostly harmless.
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
deny ^mime001.txt$ - -
# DMB # allow \.txt$ - -
# added for other viruses
allow \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
# PGP and GPG
allow \.gpg$ - -
allow \.pgp$ - -
allow \.sit$ - -
allow \.asc$ - -
# Macintosh archives
allow \.hqx$ - -
allow \.sit.bin$ - -
allow \.sea$ - -
# These are known to be dangerous in almost all cases.
deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
#deny \.rar$ Possible new Bagle-N virus outbreak Possible new Bagle-N virus outbreak
deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
deny \.bat$ Possible malicious batch file script Batch files are often malicious
deny \.cmd$ Possible malicious batch file script Batch files are often malicious
deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora
# Deny filenames ending with CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real extension Files ending in CLSID's are trying to hide their real extension
# Deny filenames with lots of contiguous white space in them.
deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it
# Allow repeated file extension, e.g. blah.zip.zip
# Commented out by Dustin Baer
#allow (\.[a-z0-9]{3})\1$ - -
# Deny all other double file extensions. This catches any hidden filenames.
# Commented out by Dustin Baer - IHS uses many double file extensions
#deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
# Added by Dustin Baer
deny \.avi$ AVI files not allowed AVI files not allowed
deny \.cab$ CAB files not allowed CAB files not allowed
deny \.eml$ EML files not allowed EML files not allowed
deny \.mov$ MOV files not allowed MOV files not allowed
deny \.mp3$ MP3 files not allowed MP3 files not allowed
deny \.mpg$ MPG files not allowed MPG files not allowed
deny \.mpeg$ MPEG files not allowed MPEG files not allowed
deny \.swf$ SWF files not allowed SWF files not allowed
deny \.wav$ WAV files not allowed WAV files not allowed
deny \.wmv$ WMV files not allowed WMV files not allowed
deny \.zi$ ZI files not allowed ZI files not allowed
deny \.$ Malformed file extension Malformed file extension
allow \.pdf$ - -
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list