File Type Check Problem

Julian Field MailScanner at ecs.soton.ac.uk
Mon Apr 7 15:46:49 IST 2008


Attached is a zip of a new SweepOther.pm (goes in 
/usr/lib/MailScanner/MailScanner) that will solve the problem for you. 
This will be in the next release.
Sorry!

Jules.

Thiago Henrique wrote:
> Hy Jules,
>
> I have changed the rules in filetype.rules.conf to:
> deny    -      x-dosexec       No DOS executables      No DOS programs 
> allowed
>
> But a simple mail with png attachment is considered DOS program:
>
> Reporte: MailScanner: No DOS programs allowed (powerphplist.png)
>
> When i run file command in the blocked attachment the result is:
> mail01 1ADE250F95.6ACCF # file -i powerphplist.png
> powerphplist.png: image/png
>
> mail01 1ADE250F95.6ACCF # file powerphplist.png
> powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced
>
>
> I try to write a new rule:
> allow   -               text/plain - permited permited
>
> But the mail has blocked again.
>
> What is magical to work?
>
> On Fri, Apr 4, 2008 at 11:39 AM, Julian Field 
> <MailScanner at ecs.soton.ac.uk <mailto:MailScanner at ecs.soton.ac.uk>> wrote:
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
>
>
>
>     Mike Kercher wrote:
>     >> -----Original Message-----
>     >> From: mailscanner-bounces at lists.mailscanner.info
>     <mailto:mailscanner-bounces at lists.mailscanner.info>
>     >> [mailto:mailscanner-bounces at lists.mailscanner.info
>     <mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of
>     >> Julian Field
>     >> Sent: Thursday, April 03, 2008 3:21 PM
>     >> To: MailScanner discussion
>     >> Subject: Re: File Type Check Problem
>     >>
>     >>
>     >>
>     >> Mike Kercher wrote:
>     >>
>     >>
>     >>> I've been searching and haven't found a resolution for this yet.
>     >>>
>     >>> Periodically, we get emails with attachments coming through
>     that are
>     >>> not being detected properly.  MailScanner reports:
>     >>>
>     >>> MailScanner: No programs allowed (msg-10410-101.txt)
>     >>>
>     >>>
>     >>>
>     >> This is being caught by the filetype trap.
>     >>
>     >>
>     >>> If I go look at the quarantined email in MailWatch and
>     download the
>     >>> attachment, it is a PDF.
>     >>>
>     >>>
>     >> That may be what the filename says, but what does the "file"
>     command
>     >> report?
>     >>
>     >>
>     >>>   There was talk of the file -i command switch.
>     >>> Is this something that needs to be set in MailScanner.conf?
>     >>>
>     >>>
>     >>>
>     >> No, just read the latest filetype.rules.conf and
>     filename.rules.conf
>     >> files, the comments at the top of each file tell you how to use it.
>     >> There is also an example line in filetype.rules.conf for you to
>     copy.
>     >>
>     >>
>     >>
>     >>> TIA
>     >>>
>     >>> Mike
>     >>>
>     >>>
>     >>>
>     >> Jules
>     >>
>     >> --
>     >>
>     >> Jules,
>     >>
>     >> Running file against the message yields the following:
>     >>
>     >> [root at HOUPMS02 m334jSTE009852]# file message
>     >> message: smtp mail text
>     >> [root at HOUPMS02 m334jSTE009852]# file -i message
>     >> message: message/rfc822\011
>     >>
>     >> Not quite sure what changing the filetype.rules.conf would do
>     for me
>     >> here.
>     >>
>     >>
>     > No! I meat you to run the "file" command on the attachment, not the
>     > message! :-( Funnily enough, when you run it on the message it
>     says it's
>     > a message :-)
>     >
>     > Jules
>     >
>     > --------
>     >
>     > Sorry about that :)  Here's the output of file run against the
>     > attachment itself:
>     >
>     > [root at HOUPMS01 ~]# file OSC81.pdf
>     > OSC81.pdf: PDF document, version 1.3
>     >
>     > [root at HOUPMS01 ~]# file -i OSC81.pdf
>     > OSC81.pdf: application/pdf
>     >
>     Have just checked your original report, and it wasn't the
>     attachment it
>     blocked, it was the main message body (hence the "txt" extension with
>     the unusual filename). Harder to stop that unless you switch from
>     using
>     the "executable" trap in filetype.rules.conf to a replacement trap
>     using
>     the MIME type reported by file -i instead (see comments at the
>     start of
>     filetype.rules.conf).
>     > Mike
>     >
>     >
>
>     Jules
>
>     - --
>     Julian Field MEng CITP CEng
>     www.MailScanner.info <http://www.MailScanner.info>
>     Buy the MailScanner book at www.MailScanner.info/store
>     <http://www.MailScanner.info/store>
>
>     Need help customising MailScanner?
>     Contact me!
>     Need help fixing or optimising your systems?
>     Contact me!
>     Need help getting you started solving new requirements from your boss?
>     Contact me!
>
>     PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>     -----BEGIN PGP SIGNATURE-----
>     Version: PGP Desktop 9.8.2 (Build 3005)
>     Comment: (pgp-secured)
>     Charset: ISO-8859-1
>
>     wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS
>     bHrfC2GyNSDz4ZOdqsl9zSw=
>     =knIJ
>     -----END PGP SIGNATURE-----
>
>     --
>     This message has been scanned for viruses and
>     dangerous content by MailScanner, and is
>     believed to be clean.
>
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>     Before posting, read http://wiki.mailscanner.info/posting
>
>     Support MailScanner development - buy the book off the website!
>
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SweepOther.pm.zip
Type: application/x-zip-compressed
Size: 6325 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/ad7c827d/SweepOther.pm.bin


More information about the MailScanner mailing list