Filetype/MailScanner bug

Rose, Bobby brose at
Tue Mar 21 02:57:53 GMT 2006

Since the "Use TNEF Contents" function in the latest version, I've come
across a pseudo bug.  It's really not a bug since both file and
MailScanner are doing exactly what they're supposed to.

If "Use TNEF Contents" is yes and a plain text message or rtf formatted
message is processed, there is a potential for file to misinterpret a
text message as an incorrect filetype because of string of text being in
the correct byte position that magic is expecting for a particular

It was stumbled upon by a one of our researchers who received a "No
QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
After investigation it turned out that the word "free" was in the 4th
byte position which is also a magic signature for quicktime.  I've been
able to dupe by sending a plain-text and an rtf formatted message with
"RE: freezer emergency" as the first line in the message body.

Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
without compromising security.  \.txt$ is allowed in my filenames rule
file so that currently can't be used to offset.


More information about the MailScanner mailing list