Filetype rules not working
Pete Russell
pete at ENITECH.COM.AU
Tue Feb 22 06:34:03 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Carinus Carelse wrote:
> I am trying to setup a filter for filetype rules but they don't seem to
> be working.
Any chance of providing error messages or maillog entires for a email
that was scannd with the test attachment, or the debug output from the
batch?
I am attaching my files can anyone see what i doing wrong.
>
>
>
> CArinus
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
> ------------------------------------------------------------------------
>
> From: user at domain.com %rules-dir%/filename.zipok.rules.conf
> FromOrTo: user1 at domain.com %rules-dir%/filename.zipok.rules.conf
> FromOrTo: default %etc-dir%/filename.rules.conf
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
> ------------------------------------------------------------------------
>
> #
> # NOTE: Fields are separated by TAB characters --- Important!
> #
> # Syntax is allow/deny/deny+delete, then regular expression, then log text,
> # then user report text.
> #
>
> # Due to a bug in Outlook Express, you can make the 2nd from last extension
> # be what is used to run the file. So very long filenames must be denied,
> # regardless of the final extension.
> deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
>
> # JKF 04/01/2005 More Microsoft security vulnerabilities
> deny \.bmp$ Windows bitmap file security vulnerability Possible buffer overflow in Windows
> deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows
> deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows
> deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows
> deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows
>
> # These 4 are well known viruses.
> deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
> deny happy99\.exe$ "Happy" virus "Happy" virus
> deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
> deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus
>
> # These are known to be mostly harmless.
> allow \.jpg$ - -
> allow \.gif$ - -
> # .url is arguably dangerous, but I can't just ban it...
> allow \.url$ - -
> allow \.vcf$ - -
> allow \.txt$ - -
> allow \.zip$ - -
> allow \.t?gz$ - -
> allow \.bz2$ - -
> allow \.Z$ - -
> allow \.rpm$ - -
> # PGP and GPG
> allow \.gpg$ - -
> allow \.pgp$ - -
> allow \.sit$ - -
> allow \.asc$ - -
> # Macintosh archives
> allow \.hqx$ - -
> allow \.sit.bin$ - -
> allow \.sea$ - -
>
> # These are known to be dangerous in almost all cases.
> deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
> deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
> # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
> deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
> deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
> deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
> deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
> deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email
> deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
> deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
> deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
> deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
> deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
> deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
> deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
> deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
> deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
> deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email
>
> # These are new dangerous attachment types according to Microsoft in
> # http://support.microsoft.com/?kbid=883260
> deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
> deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260
>
>
> # These 2 added by popular demand - Very often used by viruses
> deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
> deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
>
> # These are very dangerous and have been used to hide viruses
> deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
> deny \.bat$ Possible malicious batch file script Batch files are often malicious
> deny \.cmd$ Possible malicious batch file script Batch files are often malicious
> deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
> deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora
>
> # Deny filenames ending with CLSID's
> deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
>
> # Deny filenames with lots of contiguous white space in them.
> deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it
>
> # Allow repeated file extension, e.g. blah.zip.zip
> allow (\.[a-z0-9]{3})\1$ - -
>
> # Deny all other double file extensions. This catches any hidden filenames.
> deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
> ------------------------------------------------------------------------
>
> From: user at domain.com %rules-dir%/filetype.zipok.rules.conf
> From: user1 at domain.com %rules-dir%/filetype.zipok.rules.conf
> FromOrTo: default %etc-dir%/filetype.rules.conf
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
> ------------------------------------------------------------------------
>
> #
> # NOTE: Fields are separated by TAB characters --- Important!
> #
> # Syntax is allow/deny/deny+delete, then regular expression, then log text,
> # then user report text.
> #
>
> allow text - -
> allow script - -
> allow archive - -
> deny self-extract No self-extracting archives No self-extracting archives allowed
> deny ELF No executables No programs allowed
> deny executable No executables No programs allowed
> deny MPEG No MPEG movies No MPEG movies allowed
> deny AVI No AVI movies No AVI movies allowed
> deny MNG No MNG/PNG movies No MNG movies allowed
> deny QuickTime No QuickTime movies No QuickTime movies allowed
> deny ASF No Windows media No Windows media files allowed
> deny Registry No Windows Registry entries No Windows Registry files allowed
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list