Filetype false positive?

Matthew L. Dailey mdailey at marlboro.edu
Fri Feb 17 13:13:14 GMT 2006


We've run into what I think may be a false positive in the filetype  
match, although it is _very_ obscure. If we send a message which  
begins with the letters 'LZ', the message is detected as an  
executable. We have had this problem for a while, but I just built a  
completely new installation of our mail gateway with MS 4.50.15  
hoping it would be gone, but it's not. In order to replicate this,  
the message must begin with these two letters, and they must be in  
caps. Here are the rules for executables that I'm using in  
filetype.rules.conf:
deny    executable      No executables          No programs allowed
deny    ELF             No executables          No programs allowed

I know this is pretty weird and obscure, but one of the higher-ups in  
our administration has the initials LZ and the President likes to  
start e-mails to this individual with 'LZ-', which triggers this  
every time.

Anyone have any ideas on this one? I took a quick look at the MS  
code, but nothing jumped out at me - perhaps it's in one of the  
parser or decoder modules that MS uses?

- Matthew L. Dailey
   Director of Networks and Support Services
   Marlboro College
   mdailey _at_ marlboro _dot_ edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060217/06f926be/smime.bin


More information about the MailScanner mailing list