Checking of "file -i" mime types of attachments

Julian Field MailScanner at ecs.soton.ac.uk
Sat Jan 12 18:49:34 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I couldn't find the original thread, sorry.

I have implemented an extension to the "filetype.rules.conf" file, where 
you can now specify an extra field just after the string that says what 
file type output you are looking for. So instead of

allow    text        -            -
deny    executable    No executables        No programs allowed

you can now add an extra field like this:

allow   -   text/plain   -   -
deny   executable   application/.*exec   No executables   No programs 
allowed

This 5th field is optional, and specifies a regular expression which is 
matched against the MIME type as determined by the "file -i" command.

If it is never specified, then the "file -i" command will never be run 
on your message attachments so there is no appreciable overhead on the 
speed of MailScanner caused by this new feature.

If the "mime type" *and* the filetype fields are both specified (and are 
not "-") then either matching will cause the rule to fire. In a "deny" 
rule like the example above, then *either* test firing will cause the 
attachment to be blocked. In an "allow" rule then *both* of the tests 
must pass to cause the attachment to be allowed and hence no more rules 
to be checked. This sounds a bit odd but actually ends up doing pretty 
much what you expect it to. I'm sure you'll let me know if I'm wrong 
there :-)

There are also 3 new configuration settings to complete this:
    Log Permitted File MIME Types = no
    Allow File MIME Types =
    Deny File MIME Types =
which work just like their non-MIME brethren.

The aim of all this is to stop the false alarms caused by text files 
starting with the word "free", and various problems with languages other 
than English causing the "DOS executable" trap to fire when given 
certain plain text files.

Is this a good enough solution to the problem?

I have just released a new beta containing this new feature, 4.67.3.

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 1012)
Comment: Use Thunderbird's Enigmail add-on to verify this message
Charset: ISO-8859-1

wj8DBQFHiQvAEfZZRxQVtlQRAou8AJ4hcaerUFdpy+1lZ7Oup3bwGMhGtwCfVqCG
C+H4GEYuOd+mwbUbRmNT704=
=d0jX
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list