File Type Check Problem

Thiago Henrique thenrique at gmail.com
Mon Apr 7 18:21:34 IST 2008 

Hy Jules,

I have applied this patch in 2 servers, and the problem is solved,

Thanks...

On Mon, Apr 7, 2008 at 11:46 AM, Julian Field <MailScanner at ecs.soton.ac.uk>
wrote:

> Attached is a zip of a new SweepOther.pm (goes in
> /usr/lib/MailScanner/MailScanner) that will solve the problem for you. This
> will be in the next release.
> Sorry!
>
> Jules.
>
> Thiago Henrique wrote:
>
> > Hy Jules,
> >
> > I have changed the rules in filetype.rules.conf to:
> > deny    -      x-dosexec       No DOS executables      No DOS programs
> > allowed
> >
> > But a simple mail with png attachment is considered DOS program:
> >
> > Reporte: MailScanner: No DOS programs allowed (powerphplist.png)
> >
> > When i run file command in the blocked attachment the result is:
> > mail01 1ADE250F95.6ACCF # file -i powerphplist.png
> > powerphplist.png: image/png
> >
> > mail01 1ADE250F95.6ACCF # file powerphplist.png
> > powerphplist.png: PNG image data, 70 x 30, 8-bit colormap,
> > non-interlaced
> >
> >
> > I try to write a new rule:
> > allow   -               text/plain - permited permited
> >
> > But the mail has blocked again.
> >
> > What is magical to work?
> >
> > On Fri, Apr 4, 2008 at 11:39 AM, Julian Field <
> > MailScanner at ecs.soton.ac.uk <mailto:MailScanner at ecs.soton.ac.uk>> wrote:
> >
> >    -----BEGIN PGP SIGNED MESSAGE-----
> >    Hash: SHA1
> >
> >
> >
> >    Mike Kercher wrote:
> >    >> -----Original Message-----
> >    >> From: mailscanner-bounces at lists.mailscanner.info
> >    <mailto:mailscanner-bounces at lists.mailscanner.info>
> >    >> [mailto:mailscanner-bounces at lists.mailscanner.info
> >    <mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of
> >    >> Julian Field
> >    >> Sent: Thursday, April 03, 2008 3:21 PM
> >    >> To: MailScanner discussion
> >    >> Subject: Re: File Type Check Problem
> >    >>
> >    >>
> >    >>
> >    >> Mike Kercher wrote:
> >    >>
> >    >>
> >    >>> I've been searching and haven't found a resolution for this yet.
> >    >>>
> >    >>> Periodically, we get emails with attachments coming through
> >    that are
> >    >>> not being detected properly.  MailScanner reports:
> >    >>>
> >    >>> MailScanner: No programs allowed (msg-10410-101.txt)
> >    >>>
> >    >>>
> >    >>>
> >    >> This is being caught by the filetype trap.
> >    >>
> >    >>
> >    >>> If I go look at the quarantined email in MailWatch and
> >    download the
> >    >>> attachment, it is a PDF.
> >    >>>
> >    >>>
> >    >> That may be what the filename says, but what does the "file"
> >    command
> >    >> report?
> >    >>
> >    >>
> >    >>>   There was talk of the file -i command switch.
> >    >>> Is this something that needs to be set in MailScanner.conf?
> >    >>>
> >    >>>
> >    >>>
> >    >> No, just read the latest filetype.rules.conf and
> >    filename.rules.conf
> >    >> files, the comments at the top of each file tell you how to use
> > it.
> >    >> There is also an example line in filetype.rules.conf for you to
> >    copy.
> >    >>
> >    >>
> >    >>
> >    >>> TIA
> >    >>>
> >    >>> Mike
> >    >>>
> >    >>>
> >    >>>
> >    >> Jules
> >    >>
> >    >> --
> >    >>
> >    >> Jules,
> >    >>
> >    >> Running file against the message yields the following:
> >    >>
> >    >> [root at HOUPMS02 m334jSTE009852]# file message
> >    >> message: smtp mail text
> >    >> [root at HOUPMS02 m334jSTE009852]# file -i message
> >    >> message: message/rfc822\011
> >    >>
> >    >> Not quite sure what changing the filetype.rules.conf would do
> >    for me
> >    >> here.
> >    >>
> >    >>
> >    > No! I meat you to run the "file" command on the attachment, not the
> >    > message! :-( Funnily enough, when you run it on the message it
> >    says it's
> >    > a message :-)
> >    >
> >    > Jules
> >    >
> >    > --------
> >    >
> >    > Sorry about that :)  Here's the output of file run against the
> >    > attachment itself:
> >    >
> >    > [root at HOUPMS01 ~]# file OSC81.pdf
> >    > OSC81.pdf: PDF document, version 1.3
> >    >
> >    > [root at HOUPMS01 ~]# file -i OSC81.pdf
> >    > OSC81.pdf: application/pdf
> >    >
> >    Have just checked your original report, and it wasn't the
> >    attachment it
> >    blocked, it was the main message body (hence the "txt" extension with
> >    the unusual filename). Harder to stop that unless you switch from
> >    using
> >    the "executable" trap in filetype.rules.conf to a replacement trap
> >    using
> >    the MIME type reported by file -i instead (see comments at the
> >    start of
> >    filetype.rules.conf).
> >    > Mike
> >    >
> >    >
> >
> >    Jules
> >
> >    - --
> >    Julian Field MEng CITP CEng
> >    www.MailScanner.info <http://www.MailScanner.info>
> >    Buy the MailScanner book at www.MailScanner.info/store
> >    <http://www.MailScanner.info/store>
> >
> >    Need help customising MailScanner?
> >    Contact me!
> >    Need help fixing or optimising your systems?
> >    Contact me!
> >    Need help getting you started solving new requirements from your
> > boss?
> >    Contact me!
> >
> >    PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >
> >    -----BEGIN PGP SIGNATURE-----
> >    Version: PGP Desktop 9.8.2 (Build 3005)
> >    Comment: (pgp-secured)
> >    Charset: ISO-8859-1
> >
> >    wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS
> >    bHrfC2GyNSDz4ZOdqsl9zSw=
> >    =knIJ
> >    -----END PGP SIGNATURE-----
> >
> >    --
> >    This message has been scanned for viruses and
> >    dangerous content by MailScanner, and is
> >    believed to be clean.
> >
> >    --
> >    MailScanner mailing list
> >    mailscanner at lists.mailscanner.info
> >    <mailto:mailscanner at lists.mailscanner.info>
> >    http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >    Before posting, read http://wiki.mailscanner.info/posting
> >
> >    Support MailScanner development - buy the book off the website!
> >
> >
> >
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/662ddc76/attachment-0002.html

More information about the MailScanner mailing list