Releasing blocked filetypes (again)

Hywel Burris hywel at BURRIS.ORG.UK
Thu Sep 30 15:01:07 IST 2004 

Hi All,

I have another filename/filetypes rules question; there's been a lot this
week! This has been on my mind for a while but only just had time to look at
it.

When I release mails using mailwatch I have a separate rule to allow the
specific filenames from 127.0.0.1
[root at mail-2 MailScanner]# cat rules/filename.rules
From:            comtec-europe.co.uk
/etc/MailScanner/filename.rules.comtec.conf
From:           127.0.0.1       /etc/MailScanner/allow.filename.rules.conf
FromOrTo:       default         /etc/MailScanner/filename.rules.conf

The allow.filename.rules.conf is configured to allow double extensions. All
spaces are tab characters.
[root at mail-2 MailScanner]# cat allow.filename.rules.conf | grep "Found
possible filename hiding"
allow   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
hiding                          Attempt to hide real filename extension

These rules have been specified in MailScanner.conf
[root at mail-2 MailScanner]# cat MailScanner.conf | grep "Filename Rules"
Filename Rules = %rules-dir%/filename.rules

As you can see from the following logs this is being released but the file
being blocked again.

[root at mail-2 MailScanner]# cat /var/log/maillog | grep i8UDFrCK016855
Sep 30 14:15:54 mail-2 sendmail[16855]: i8UDFrCK016855:
from=<postmaster at comtec-europe.co.uk>, size=533615, class=0, nrcpts=1,
msgid=<200409301315.i8UDFrCK016855 at mail-2.comtec-europe.co.uk>, proto=ESMTP,
daemon=MTA, relay=mail-2.comtec-europe.co.uk [127.0.0.1]
Sep 30 14:15:54 mail-2 sendmail[16855]: i8UDFrCK016855:
to=<fred.bloggs at comtec-europe.co.uk>, delay=00:00:01, mailer=relay,
pri=30176, stat=queued
Sep 30 14:15:54 mail-2 MailScanner[16812]: Message i8UDFrCK016855 from
127.0.0.1 (postmaster at comtec-europe.co.uk) is whitelisted
Sep 30 14:15:58 mail-2 MailScanner[16812]: Filename Checks: Found possible
filename hiding (i8UDFrCK016855 CALCULATION.DCT.DOC)
Sep 30 14:15:58 mail-2 MailScanner[16812]: Saved entire message to
/var/spool/MailScanner/quarantine/20040930/i8UDFrCK016855
Sep 30 14:15:58 mail-2 MailScanner[16812]: Saved infected
"CALCULATION.DCT.DOC" to
/var/spool/MailScanner/quarantine/20040930/i8UDFrCK016855
Sep 30 14:15:59 mail-2 sendmail[16885]: i8UDFrCK016855:
to=<fred.bloggs at comtec-europe.co.uk>, delay=00:00:06, xdelay=00:00:01,
mailer=relay, pri=120176, relay=mailgate-2.newport...mtec-europe.co.uk.
[10.10.0.5], dsn=2.0.0, stat=Sent (
<200409301315.i8UDFrCK016855 at mail-2.comtec-europe.co.uk> Queued mail for
delivery)

I used to have the following in allow.filetyperules.conf but this wasn't
working either:-
[root at mail-2 MailScanner]# cat filetype.rules.allowall.conf
allow   .*      -       -

Where have I gone wrong.Any help would be greatly appreciated.

Thanks

Hywel

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

    [ Part 2, Application/X-PKCS7-SIGNATURE  4.1KB. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list