4.51.6-1, linux file command mis-diagnosing bodies of messages

[Paul Haldane]

We had a odd issue today - one of my colleagues sent a plain text message which was flagged as having a disallowed file type ...

The original e-mail attachment "the entire message"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

After a fair amount of log trawling (which didn't help much) and experimentation we eventually worked out that it was provoked by the 5th to 8th characters of the body of the message being 'free'.  This gets picked up by the Linux file command as Apple QuickTime movie file because of the following entry in /usr/share/file/magic (this is RH AS4) ...

4       string          free            Apple QuickTime movie file (free)

It would have helped if somewhere (either in the logs or in the message sent to the sender) we could show what type of file we thought it was rather than just saying that it's something that's not on our allowed list (if this should be happening already we'll check our configs).

I'm not sure what we plan to do to fix this here.  Obvious kludges that occur to me are taking the entry out of the magic file (and recompiling the version magic uses), doing the same thing but having a separate version of the magic file for use by MailScanner or being less restrictive in the set of file types we let through.

Paul
-- 
Paul Haldane
Unix Systems Team
Information Systems and Services
University of Newcastle upon Tyne