Filetypes and filenames not being checked

DAve dave.list at pixelhammer.com
Sun Jul 30 07:15:28 IST 2006 

DAve wrote:
> DAve wrote:
>> Dhawal Doshy wrote:
>>> DAve wrote:
>>>> Dhawal Doshy wrote:
>>>>> DAve wrote:
>>>>>> DAve wrote:
>>>>>>> Golden, James wrote:
>>>>>>>> I'm pretty new to this MailScanner stuff, so this may be too 
>>>>>>>> simple.  So
>>>>>>>> please excuse me.  What about the file permissions on your
>>>>>>>> filename.rules.conf or filetype.rules.conf? 
>>>>>>>
>>>>>>> I am in no position to question anyone's suggestions ;^)
>>>>>>>
>>>>>>> bash-2.05b# ls -la
>>>>>>> total 388
>>>>>>> dr-xr-xr-x   7 root  cvs     1024 Jul 26 10:21 .
>>>>>>> drwxr-xr-x  16 root  wheel   1024 Jul 25 09:04 ..
>>>>>>> drwxr-xr-x   2 root  cvs      512 Aug  9  2004 CVS
>>>>>>> -rw-r--r--   1 root  cvs    99589 Jul 26 10:21 MailScanner.conf
>>>>>>> drwxr-xr-x   2 root  cvs      512 Jul 27 13:02 bayes
>>>>>>> -r--r--r--   1 root  wheel  11426 Jun  4 13:27 country.domains.conf
>>>>>>> -rw-r--r--   1 root  cvs      197 Jul 21 12:59 
>>>>>>> filename.allow.rules.conf
>>>>>>> -rw-r--r--   1 root  cvs     6851 Jul 21 12:51 
>>>>>>> filename.deny.rules.conf
>>>>>>> -rw-r--r--   1 root  cvs      929 Jul 21 13:01 
>>>>>>> filetype.allow.rules.conf
>>>>>>> -rw-r--r--   1 root  cvs      921 Jul 21 12:51 
>>>>>>> filetype.deny.rules.conf
>>>>>>> dr-xr-xr-x   2 root  cvs      512 Jul 21 16:44 mcp
>>>>>>> -r--r--r--   1 root  wheel  14618 Jun  4 13:27 
>>>>>>> phishing.safe.sites.conf
>>>>>>> drwxr-xr-x   2 root  cvs     2048 Jun  4 13:44 reports
>>>>>>> dr-xr-xr-x   3 root  cvs      512 Jul 21 16:43 rules
>>>>>>> -rw-r--r--   1 root  cvs     9692 Jul 21 16:15 
>>>>>>> spam.assassin.prefs.conf
>>>>>>> -r--r--r--   1 root  cvs     2969 Feb 14  2005 spam.lists.conf
>>>>>>> -r--r--r--   1 root  wheel   2969 Jun  4 13:27 
>>>>>>> spam.lists.conf.sample
>>>>>>> -rw-r--r--   1 root  cvs     2834 Nov  2  2005 virus.scanners.conf
>>>>>>>
>>>>>>> bash-2.05b# ls -la rules
>>>>>>> total 40
>>>>>>> dr-xr-xr-x  3 root  cvs     512 Jul 21 16:43 .
>>>>>>> dr-xr-xr-x  7 root  cvs    1024 Jul 26 10:21 ..
>>>>>>> drwxr-xr-x  2 root  cvs     512 Aug  9  2004 CVS
>>>>>>> -r--r--r--  1 root  wheel  2817 Jun  4 13:27 EXAMPLES
>>>>>>> -r--r--r--  1 root  wheel  2964 Jun  4 13:27 README
>>>>>>> -rw-r--r--  1 root  cvs      90 Jun  4 13:50 bounce.rules
>>>>>>> -rw-r--r--  1 root  cvs    1743 Jun  6 18:40 
>>>>>>> highscore.delivery.rules
>>>>>>> -rw-r--r--  1 root  cvs    1529 Jun  6 18:40 mcp.delivery.rules
>>>>>>> -rw-r--r--  1 root  cvs      71 Jun  6 18:40 spam.blacklist.rules
>>>>>>> -rw-r--r--  1 root  cvs     961 Jun  6 18:40 spam.whitelist.rules
>>>>>>> -rw-r--r--  1 root  cvs     369 Jun  6 18:40 user.content.rules
>>>>>>> -rw-r--r--  1 root  cvs    1878 Jul 17 17:05 user.delivery.rules
>>>>>>> -rw-r--r--  1 root  cvs     636 Jul 21 12:49 user.filename.rules
>>>>>>> -rw-r--r--  1 root  cvs     636 Jul 21 12:50 user.filetype.rules
>>>>>>> -rw-r--r--  1 root  cvs     722 Jul 19 10:30 user.filtering.rules
>>>>>>> -rw-r--r--  1 root  cvs     251 Jun  6 18:40 user.mcp.rules
>>>>>>> -rw-r--r--  1 root  cvs     419 Jun  6 18:40 user.scanning.rules
>>>>>>>
>>>>>>>>
>>>>>>>> One other thought is your max or minimum size for attachments 
>>>>>>>> setting in
>>>>>>>> the Mailscanner.conf file?
>>>>>>>
>>>>>>> I'm testing with a 76k text file named test.scr and a copy named 
>>>>>>> test.sxw.doc.
>>>>>>>
>>>>>>> Maximum Message Size = 0
>>>>>>> Maximum Attachment Size = -1
>>>>>>> Minimum Attachment Size = -1
>>>>>>>
>>>>>>> Should be no checking going on (I do RBLs, size checking, max 
>>>>>>> recipients on the MTA).
>>>>>>>
>>>>>>> I would be perfectly willing to post any and all conf files 
>>>>>>> online for viewing.
>>>>>>
>>>>>> http://pixelhammer.com/MS/MailScanner.conf
>>>>>> http://pixelhammer.com/MS/user.filename.rules
>>>>>>
>>>>>> Last act of desperation. This is as simple as I can make it and it 
>>>>>> still is not stopping double suffix or even test.scr.
>>>>>>
>>>>>> Is there a stupid mistake I am just not seeing or is it time to 
>>>>>> reinstall everything?
>>>>>>
>>>>>> DAve
>>>>>
>>>>> And what is the content of 
>>>>> /usr/local/etc/MailScanner/rules/user.content.rules?
>>>>>
>>>>> - dhawal
>>>>
>>>> http://pixelhammer.com/MS/user.content.rules
>>>>
>>>> DAve
>>>
>>> Well there lies your problem.. and i had previously hinted on this as 
>>> well. You have
>>>
>>> Dangerous Content Scanning = %rules-dir%/user.content.rules
>>>
>>> and /usr/local/etc/MailScanner/rules/user.content.rules
>>> To:    default        no   From:    default        no  Which 
>>> indicates that you are not checking for 'Dangerous Content Scanning'. 
>>> Filename/type checks depend on 'Dangerous Content Scanning'.. set the 
>>> From to 'yes' and re-test.
>>>
>>> - dhawal
>>
>> I'll test it, but that file has not been changed since my initial 
>> setup over two years ago. Hence why I responded that it was OK when 
>> you suggested I check it.
>>
>> I say that but, the last upgrade involved SA, ClamAV, MailWatch, and 
>> MailScanner on three machines in one night. It is entirely possible I 
>> did that.
>>
>> DAve
>>
>>
> 
> user.content.rules changed to the following,
> 
> To: default  yes
> From: default  yes
> 
> Both test.scr and test.sxw.doc blow right through.
> 
> X-TLS.net-MailScanner: Found to be clean
> 
> DAve
> 

Sometimes patience is a good thing. I did nothing after my last change, 
adopting a wait and see attitude. I checked my quarantine this evening 
and I have files with double suffixes and files with banned suffixes. So 
now it works.

Odd that it did not work after I edited and restarted. The last test I 
performed was 20 minutes after the restart. Now, 24 hours later, it works.

I have two questions now,
1) Why did the restart not make a difference earlier?
2) Why did I have "From: default no" in my user.content.rules?

The first question I will have to look into further, it may be an issue 
with the start script from the FreeBSD port. It is not a MailScanner 
issue regardless.

The second has me baffled completely as my support staff tells me they 
have been getting requests from clients to release files with double 
suffixes. Which can only mean, "I changed the user.content.rules". I've 
no recollection of doing so, but clearly rsync made certain my error was 
NOC wide. Maybe after 5 years of 24/7/365 a vacation is in order.

Thanks to everyone for their patience with me on this problem.

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

More information about the MailScanner mailing list