Filetype false positive?

shuttlebox shuttlebox at gmail.com
Fri Feb 17 13:38:34 GMT 2006


On 2/17/06, Matthew L. Dailey <mdailey at marlboro.edu> wrote:
>
> We've run into what I think may be a false positive in the filetype
> match, although it is _very_ obscure. If we send a message which
> begins with the letters 'LZ', the message is detected as an
> executable. We have had this problem for a while, but I just built a
> completely new installation of our mail gateway with MS 4.50.15
> hoping it would be gone, but it's not. In order to replicate this,
> the message must begin with these two letters, and they must be in
> caps. Here are the rules for executables that I'm using in
> filetype.rules.conf:
> deny    executable      No executables          No programs allowed
> deny    ELF             No executables          No programs allowed
>
> I know this is pretty weird and obscure, but one of the higher-ups in
> our administration has the initials LZ and the President likes to
> start e-mails to this individual with 'LZ-', which triggers this
> every time.
>
> Anyone have any ideas on this one? I took a quick look at the MS
> code, but nothing jumped out at me - perhaps it's in one of the
> parser or decoder modules that MS uses?
>

You will not find anything in the MS code since it uses the standard Unix
"file" command to determine the file type. Read the man page for that
command to find the "magic" file that contains signatures. It seems that
different Unix flavors come with different magic files, some contain more
signatures and might be more prone to false alarms.

One solution, granted not the best, would be to use a ruleset so that LZ guy
can send executables. Quick and dirty fix.

--
/peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060217/2ef75942/attachment.html


More information about the MailScanner mailing list