Filetype/MailScanner bug

Scott Silva ssilva at
Wed Mar 29 19:40:11 IST 2006

Rose, Bobby spake the following on 3/29/2006 10:36 AM:
> First, txt by default in MailScanner is an allowed filetype.  Second, a
> user can already do that with the thousands of extensions that are
> allowed because you must explicitly denying the bad stuff in
> MailScanner.  So if a user wanted, they could rename the filename to
> .??_ and it will pass.
> This bug is not so much a problem with filenames.  I'm just pointing out
> that the filenames.conf entries don't override filetype.conf   So the
> tnef created "msg*.txt" files that can be misinterpretted by filetype as
> Quicktime files can't be overridden.  The only options are to allow
> quicktime filetypes or disable the "Use TNEF Contents" option.
> Note that the msg*.txt files are not being sent by the user.  They are
> created by MailScanner using the current "Use TNEF Contents" function.
> So it would seem to be perfectly safe to say that since MailScanner
> created that file based off of mime/text that it doesn't need to go thru
> a filetype check.
> -----Original Message-----
> From: mailscanner-bounces at
> [mailto:mailscanner-bounces at] On Behalf Of Richard
> Frovarp
> Sent: Wednesday, March 29, 2006 12:15 PM
> To: MailScanner discussion
> Subject: Re: Filetype/MailScanner bug
> You are of course assuming that no one will ever try to sneak a unwanted
> file type through by giving it a txt extension. The whole point of
> checking file types is that you don't trust the extensions. A user could
> change all of their files to have extensions of txt and get pass every
> time.
> Rose, Bobby wrote:
>> I just had another message get misidentified by the new "Use TNEF 
>> Contents" option and filetype on the text part of the message that this
>> function creates.  No QuickTime movies allowed (msg-24987-72.txt)
>> Yeh I could disable the new option, or change the magic file to remove 
>> quicktime signatures or even change the filetype.conf but then again 
>> that defeats the intended purpose of the new option and/or the blocking
>> of quicktime filetypes.  But it makes more sense to not be passing the 
>> msg.txt file created by the new function thru filetype.  Plus, 
>> filename.conf entries don't seem to override filetype.conf entries as 
>> .txt is listed in the filename.conf by default.
>> Bobby Rose
>> -----Original Message-----
>> From: mailscanner-bounces at
>> [mailto:mailscanner-bounces at] On Behalf Of Rose, 
>> Bobby
>> Sent: Monday, March 20, 2006 9:58 PM
>> To: MailScanner discussion
>> Subject: Filetype/MailScanner bug
>> Since the "Use TNEF Contents" function in the latest version, I've come
>> across a pseudo bug.  It's really not a bug since both file and 
>> MailScanner are doing exactly what they're supposed to.
>> If "Use TNEF Contents" is yes and a plain text message or rtf formatted
>> message is processed, there is a potential for file to misinterpret a 
>> text message as an incorrect filetype because of string of text being 
>> in the correct byte position that magic is expecting for a particular 
>> filetype.
>> It was stumbled upon by a one of our researchers who received a "No 
>> QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
>> After investigation it turned out that the word "free" was in the 4th 
>> byte position which is also a magic signature for quicktime.  I've been
>> able to dupe by sending a plain-text and an rtf formatted message with
>> "RE: freezer emergency" as the first line in the message body.
>> Any ideas for a fix to have MailScanner ignore a misdiagnosis by file 
>> without compromising security.  \.txt$ is allowed in my filenames rule 
>> file so that currently can't be used to offset.
>> -=Bobby
But I don't think Mailscanner creates these files from any sort of mime types,
it just extracts the files from the TNEF encoded part and re-attaches them. If
the file is wrong in the TNEF file, it will be the same in the new file.


MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list