Not blocking executables

rob rob at robhq.com
Mon Jan 29 17:29:13 CET 2007 

On Mon, 29 Jan 2007 17:05:20 +0100, Glenn Steen wrote
> On 29/01/07, rob <rob at robhq.com> wrote:
> (snip)
> >From /etc/MailScanner/MailScanner.conf
> >
> >
> > File Command = /usr/bin/file
> > Allow Filenames =
> > Deny Filenames =
> > Filename Rules = %etc-dir%/filename.rules.conf
> > Allow Filetypes =
> > Deny Filetypes =
> > Filetype Rules = %etc-dir%/filetype.rules.conf
> >
> Ok good. Then what does
> grep -i exe /etc/MailScanner/filename.rules.conf
> /etc/MailScanner/filetype.rules.conf
> give? Be as verbose as possible, redirect into a file and attach
> that... Both files are a bit hysterical about whitespace... They
> absolutely need have <TAB> as field separator... and I'd like to see
> if these lines have that (or you could just check it:-). Then again,
> MailScanner --lint is supposed to catch those:-).
> But that is the secondary thing... the primary thing to check for here
> is any "allow" lines that shouldn't be there.
> 
> Perhaps time to start looking at the messages themselves too, how do
> you send them? MIME type etc?
> 
> Cheers
> -- 
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se

Just testing this sending from a yahoo account via their webmail client.  Just checked
and this is happening on both our installs of MailScanner.  My install at the house does
block the same message.  

Microsoft Mail Internet Headers Version 2.0
Received: from XXXXXXXXXXXXXXXXXXXX by stymie.fleetone.com with Microsoft
SMTPSVC(6.0.3790.1830);
	 Mon, 29 Jan 2007 10:22:56 -0600
Received: from web58011.mail.re3.yahoo.com (web58011.mail.re3.yahoo.com [68.142.236.119])
	by XXXXXXXXXXXXXXXXXXX (8.12.11.20060308/8.12.11) with SMTP id l0TGMNhx018076
	for <XXXXXXXXXXXXXXXXXXXX>; Mon, 29 Jan 2007 10:22:25 -0600
Received: (qmail 96988 invoked by uid 60001); 29 Jan 2007 16:22:28 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID;
 
b=QtlZicUefe6otxmKuLou6iEDrwyYOkBFvYbNB+yDwUf5En855F2aTUWiBefZYGF7/cxa4Ffm9IV2tbG4U4cTHgwSYuqAf8vrKcc7yqn1dNQjpPrYILgDOoEBRlH/wm4JoQ7Qdb1pak3pIvjKSg/5jm9LZWpK5Y+HNziJCrfrVCs=;
X-YMail-OSG:
tJGQyMAVM1lm83K8oq_QNfdePe4z_3rCfhTDYHSBztbAFOutHBpv8IO_TcVFLwed0j9FX45jy6Eq0Nw1PB5o5nMCwjtlDAax2h73lpquog--
Received: from [XXXXXXXXXXXXX] by web58011.mail.re3.yahoo.com via HTTP; Mon, 29 Jan 2007
08:22:28 PST
X-Mailer: YahooMailRC/368.3 YahooMailWebService/0.6.132.7
Date: Mon, 29 Jan 2007 08:22:28 -0800 (PST)
From: Rob Freeman <XXXXXXXXX at yahoo.com>
Subject: test 6
To: XXXXXXXXXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1342646654-1170087748=:92000"
Message-ID: <324593.92000.qm at web58011.mail.re3.yahoo.com>
-------------- next part --------------
deny	pretty\s+park\.exe$	"Pretty Park" virus								"Pretty Park" virus
deny	happy99\.exe$		"Happy" virus									"Happy" virus
deny	\.com$		Windows/DOS Executable								Executable DOS/Windows programs are dangerous in email
deny	\.exe$		Windows/DOS Executable								Executable DOS/Windows programs are dangerous in email
-------------- next part --------------
deny	executable	No executables		No programs allowed
deny	ELF		No executables		No programs allowed

More information about the MailScanner mailing list