mailscanner occasionally denying certain blackberry emails

Glenn Steen glenn.steen at gmail.com
Mon Jul 23 16:37:10 IST 2007 

On 23/07/07, Daniel Maher <daniel.maher at ubisoft.com> wrote:
>
> > > I have a situation where MailScanner will occasionally block attachments
> > in
> > > emails generated by the Blackberry service.  Normally the attachments
> > are
> > > not blocked, but every once in a while, it gets replaced with the
> > "Warning:
> > > This message has had one or more attachments removed..." message.  The
> > name of
> > > the attachment, in every instance, is "ETP.DAT", which shouldn't trigger
> > > filename rules (and, indeed, normally doesn't).
> > >
> > Look closely at what it really say and you'll find that the binary
> > file ETP.DAT (that is also attached as an ascii armored thing ...
> > stupid, is what it all is... will sometimes "aggravate" your file
> > command, specifically MS-DOS Executable "magic" patterns of one (1)
> > byte. Simply remove these from your magic file (edit the text variant,
> > use the file command to "recompile" it), and you'll be fine.
> >
> > Cheers
>
> Thanks for the reply.  Unfortunately, I'm not entirely sure I should be removing the magic data you're referring to.  To wit:
>
> [user at mailserver file]# grep MS-DOS magic
(snip)
> #0      byte            0xe9            MS-DOS executable (COM)
> #0      byte            0x8c            MS-DOS executable (COM)
> #0      byte            0xeb            MS-DOS executable (COM)
> #0      byte            0xb8            MS-DOS executable (COM)
> 0       string          LZ              MS-DOS executable (built-in)
> #0      byte            0xf0            MS-DOS program library data
>
> If I comment out the (three) active 1-byte MS-DOS lines, won't file lose its ability to detect MS-DOS executables altogether?  This is not a desired behaviour. :/
>

The "bad magic" I was getting at were the above ones (quite a bit to
... opportunistic:-)... And indeed, in a newer version of file (that I
happen to have on my latest install), they aren't even there (so one
needn't remove them/comment them, as you obviously already have
done:-).

If you run file on one of the offenders (the actual, quarantined, file
ETP.DAT), what does it say about it?

> Would it not be possible to write some sort of MailScanner rule that would exempt files named "ETP.DAT", and coming from the Blackberry service, from being analysed with file?
>
Oh yes, you could have a ruleset for *.blackberry.net on Filetype
Rules .... the result would be a file that more or less said "allow"
to everything:-). Best would be to do this "whitelist" on IP
addresses, but... so far, I haven't been able to get a limited
possible set of addresses/address ranges out of the BB people:-(.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list