bug in Mailscanner 4.60.8-1?

Mon Jun 25 10:29:13 IST 2007

On 25/06/07, Jorge Costinha <jlcostinha at halla.pt> wrote:
> thanks a lot.
>
> allow me another question, is there any drawbacks of doing that?

That is more philosophical than technical:-).
One answer is: Not really. COM files are not that common, any more,
most attack vectors are covered by your AV(s)... And they are a prime
example of a really bad magic for detecting a file type... When
interpreted by a human, that's not really a problem, it only becomes a
problem when used in MS.
Edit away...;-)

> TIA
>
> Jorge.
>
> ajs at vifilfell.is wrote:
> > sure.
> >
> > on gentoo you'll find the 'magic' file in '/usr/share/misc/file/magic'.
> > on red hat it's located at '/usr/share/file/magic'.
> > change to the appropriate directory. open the file with an editor and look
> > for this line :
> >
> >         0      byte            0xe9            MS-DOS executable (COM)
> >
> > 0xe9 is hex for 'É'. just comment it out. then compile the file with the
> > command :
> >
> >         file -C
> >
> > cheers, asgeir.
> >
> >
> >
> >
> >
> > Jorge Costinha <jlcostinha at halla.pt>
> > Sent by: mailscanner-bounces at lists.mailscanner.info
> > 22.06.2007 15:42
> > Please respond to
> > MailScanner discussion <mailscanner at lists.mailscanner.info>
> >
> >
> > To
> > MailScanner discussion <mailscanner at lists.mailscanner.info>
> > cc
> >
> > Subject
> > Re: bug in Mailscanner 4.60.8-1?
> >
> >
> >
> >
> >
> >
> >
> >
> > can you  be a little more specific?
> >
> > thanks
> > Jorge.
> >
> > ajs at vifilfell.is wrote:
> >
> >> this has actually nothing to do with mailscanner.
> >>
> >> this is related to the 'file' command. you have to locate and edit a
> >>
> > file
> >
> >> called 'magic' and then recompile it to 'magic.mgc'.
> >>
> >> cheers, asgeir.
> >>
> >>
> >>
> >>
> >> Jorge Costinha <jlcostinha at halla.pt>
> >> Sent by: mailscanner-bounces at lists.mailscanner.info
> >> 22.06.2007 14:34
> >> Please respond to
> >> MailScanner discussion <mailscanner at lists.mailscanner.info>
> >>
> >>
> >> To
> >> MailScanner discussion <mailscanner at lists.mailscanner.info>
> >> cc
> >>
> >> Subject
> >> Re: bug in Mailscanner 4.60.8-1?
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> i mean the character:   é
> >>
> >>
> >>
> >> Jorge Costinha wrote:
> >>
> >>
> >>> this is so bizarre!
> >>>
> >>> if i send the simplest mail there is with only 1 charater the
> >>> character: _*é*_   , no attachsments at all. somehow it matches the
> >>> filetype EXE/COM rules and i get the usual bounce back:
> >>>
> >>>
> >>> "Warning: This message has had one or more attachments removed
> >>> Warning: (the entire message).
> >>> Warning: Please read the "HCC-mx-Attachment-Warning.txt" attachment(s)
> >>> for more information.
> >>>
> >>> This is a message from the MailScanner E-Mail Virus Protection Service
> >>> ----------------------------------------------------------------------
> >>> The original e-mail attachment "the entire message"
> >>> is on the list of unacceptable attachments for this site and has been
> >>> replaced by this warning message.
> >>>
> >>> If you wish to receive a copy of the original attachment, please
> >>> e-mail helpdesk and include the whole of this message
> >>> in your request. Alternatively, you can call them, with
> >>> the contents of this message to hand when you call.
> >>>
> >>> At Fri Jun 22 11:43:32 2007 the virus scanner said:
> >>> MailScanner: No programs allowed (msg-18164-12.txt)
> >>>
> >>> Note to Help Desk: Look on the HCC-mx (mx.halla.pt) MailScanner in
> >>> /var/spool/MailScanner/quarantine/20070622 (message l5MAhVa5021067).
> >>> "
> >>>
> >>> thank you,
> >>> Jorge
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> >
> >
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se