Filetype/MailScanner bug
Rose, Bobby
brose at med.wayne.edu
Wed Mar 29 17:15:52 IST 2006
I just had another message get misidentified by the new "Use TNEF
Contents" option and filetype on the text part of the message that this
function creates. No QuickTime movies allowed (msg-24987-72.txt)
Yeh I could disable the new option, or change the magic file to remove
quicktime signatures or even change the filetype.conf but then again
that defeats the intended purpose of the new option and/or the blocking
of quicktime filetypes. But it makes more sense to not be passing the
msg.txt file created by the new function thru filetype. Plus,
filename.conf entries don't seem to override filetype.conf entries as
.txt is listed in the filename.conf by default.
Bobby Rose
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose,
Bobby
Sent: Monday, March 20, 2006 9:58 PM
To: MailScanner discussion
Subject: Filetype/MailScanner bug
Since the "Use TNEF Contents" function in the latest version, I've come
across a pseudo bug. It's really not a bug since both file and
MailScanner are doing exactly what they're supposed to.
If "Use TNEF Contents" is yes and a plain text message or rtf formatted
message is processed, there is a potential for file to misinterpret a
text message as an incorrect filetype because of string of text being in
the correct byte position that magic is expecting for a particular
filetype.
It was stumbled upon by a one of our researchers who received a "No
QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
After investigation it turned out that the word "free" was in the 4th
byte position which is also a magic signature for quicktime. I've been
able to dupe by sending a plain-text and an rtf formatted message with
"RE: freezer emergency" as the first line in the message body.
Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
without compromising security. \.txt$ is allowed in my filenames rule
file so that currently can't be used to offset.
-=Bobby
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list