Filetype false positive?

Glenn Steen glenn.steen at gmail.com
Fri Feb 17 13:59:43 GMT 2006 

On 17/02/06, Matthew L. Dailey <mdailey at marlboro.edu> wrote:
> We've run into what I think may be a false positive in the filetype
> match, although it is _very_ obscure. If we send a message which
> begins with the letters 'LZ', the message is detected as an
> executable. We have had this problem for a while, but I just built a
> completely new installation of our mail gateway with MS 4.50.15
> hoping it would be gone, but it's not. In order to replicate this,
> the message must begin with these two letters, and they must be in
> caps. Here are the rules for executables that I'm using in
> filetype.rules.conf:
> deny    executable      No executables          No programs allowed
> deny    ELF             No executables          No programs allowed
>
> I know this is pretty weird and obscure, but one of the higher-ups in
> our administration has the initials LZ and the President likes to
> start e-mails to this individual with 'LZ-', which triggers this
> every time.
>
> Anyone have any ideas on this one? I took a quick look at the MS
> code, but nothing jumped out at me - perhaps it's in one of the
> parser or decoder modules that MS uses?
>
> - Matthew L. Dailey
>    Director of Networks and Support Services
>    Marlboro College
>    mdailey _at_ marlboro _dot_ edu
>
>

This isn't really MailScanner, it is an idiosyncrasity of the file
command/its "magic" file...
Doing a simple test, one can see what happens:
# cat aa
LZ-skdfjldksj
# file aa
aa: MS-DOS executable (built-in)
#
And looking through the magic file (residing in
/usr/share/misc/file/magic on a Mandriva of mine), one has the line:
# miscellaneous formats
0       string          LZ              MS-DOS executable (built-in)

... So the problem is squarely in a rather optimistic file config. You
could either stop using the filetype checks, perhaps just for your
boss (via a ruleset), or you could fiddle with the magic file... Why
not just comment out that line?

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list