File Type Check Problem
Thiago Henrique
thenrique at gmail.com
Mon Apr 7 13:32:15 IST 2008
Hy Jules,
I have changed the rules in filetype.rules.conf to:
deny - x-dosexec No DOS executables No DOS programs
allowed
But a simple mail with png attachment is considered DOS program:
Reporte: MailScanner: No DOS programs allowed (powerphplist.png)
When i run file command in the blocked attachment the result is:
mail01 1ADE250F95.6ACCF # file -i powerphplist.png
powerphplist.png: image/png
mail01 1ADE250F95.6ACCF # file powerphplist.png
powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced
I try to write a new rule:
allow - text/plain - permited permited
But the mail has blocked again.
What is magical to work?
On Fri, Apr 4, 2008 at 11:39 AM, Julian Field <MailScanner at ecs.soton.ac.uk>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Mike Kercher wrote:
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info
> >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> >> Julian Field
> >> Sent: Thursday, April 03, 2008 3:21 PM
> >> To: MailScanner discussion
> >> Subject: Re: File Type Check Problem
> >>
> >>
> >>
> >> Mike Kercher wrote:
> >>
> >>
> >>> I've been searching and haven't found a resolution for this yet.
> >>>
> >>> Periodically, we get emails with attachments coming through that are
> >>> not being detected properly. MailScanner reports:
> >>>
> >>> MailScanner: No programs allowed (msg-10410-101.txt)
> >>>
> >>>
> >>>
> >> This is being caught by the filetype trap.
> >>
> >>
> >>> If I go look at the quarantined email in MailWatch and download the
> >>> attachment, it is a PDF.
> >>>
> >>>
> >> That may be what the filename says, but what does the "file" command
> >> report?
> >>
> >>
> >>> There was talk of the file -i command switch.
> >>> Is this something that needs to be set in MailScanner.conf?
> >>>
> >>>
> >>>
> >> No, just read the latest filetype.rules.conf and filename.rules.conf
> >> files, the comments at the top of each file tell you how to use it.
> >> There is also an example line in filetype.rules.conf for you to copy.
> >>
> >>
> >>
> >>> TIA
> >>>
> >>> Mike
> >>>
> >>>
> >>>
> >> Jules
> >>
> >> --
> >>
> >> Jules,
> >>
> >> Running file against the message yields the following:
> >>
> >> [root at HOUPMS02 m334jSTE009852]# file message
> >> message: smtp mail text
> >> [root at HOUPMS02 m334jSTE009852]# file -i message
> >> message: message/rfc822\011
> >>
> >> Not quite sure what changing the filetype.rules.conf would do for me
> >> here.
> >>
> >>
> > No! I meat you to run the "file" command on the attachment, not the
> > message! :-( Funnily enough, when you run it on the message it says it's
> > a message :-)
> >
> > Jules
> >
> > --------
> >
> > Sorry about that :) Here's the output of file run against the
> > attachment itself:
> >
> > [root at HOUPMS01 ~]# file OSC81.pdf
> > OSC81.pdf: PDF document, version 1.3
> >
> > [root at HOUPMS01 ~]# file -i OSC81.pdf
> > OSC81.pdf: application/pdf
> >
> Have just checked your original report, and it wasn't the attachment it
> blocked, it was the main message body (hence the "txt" extension with
> the unusual filename). Harder to stop that unless you switch from using
> the "executable" trap in filetype.rules.conf to a replacement trap using
> the MIME type reported by file -i instead (see comments at the start of
> filetype.rules.conf).
> > Mike
> >
> >
>
> Jules
>
> - --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.8.2 (Build 3005)
> Comment: (pgp-secured)
> Charset: ISO-8859-1
>
> wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS
> bHrfC2GyNSDz4ZOdqsl9zSw=
> =knIJ
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/fcf7cdbc/attachment.html
More information about the MailScanner
mailing list