Russian Text = Executable?

Richard Bollinger rabollinger at gmail.com
Thu Jul 2 17:06:16 IST 2009 

Running MailScanner version 4.74.16, file-5.03

When our russian employee attempts to email his associates, the text
portion of his email is interpreted by the file command as
    msg-15166-15.txt: DOS executable (COM)
# grep msg-15166-15 /var/adm/maillog
Jul  2 08:40:53 ls04 MailScanner[15166]: Filename Checks: Allowing
n62Cd5xN017134 msg-15166-15.txt
Jul  2 08:40:53 ls04 MailScanner[15166]: Filetype Checks: No
executables (n62Cd5xN017134 msg-15166-15.txt)
Jul  2 08:41:01 ls04 MailScanner[15166]: Saved infected
"msg-15166-15.txt" to
/var/spool/MailScanner/quarantine/20090702/n62Cd5xN017134

Fine... I read the mailing list notes and docs which say file -i
should work better... and it does:
    msg-15166-15.txt: text/plain; charset=iso-8859-1

So I inserted a rule to match that in filetypes.rules.conf like so
--- filetype.rules.conf.FCS     2008-03-12 05:50:04.000000000 -0400
+++ filetype.rules.conf 2009-07-02 11:18:38.000000000 -0400
@@ -18,6 +18,7 @@
 allow  \bscript        -                       -
 allow  archive         -                       -
 allow  postscript      -                       -
+allow  -       iso-8859-1      -       -
 deny   self-extract    No self-extracting archives     No
self-extracting archives allowed
 deny   executable      No executables          No programs allowed
 #EXAMPLE: deny -       x-dosexec       No DOS executables      No DOS
programs allowed

But apparently MIME rules in the filetype.rules.conf files aren't
really checked in order as one might expect... so its still getting
blocked:
# grep msg-25147-33 /var/adm/maillog
Jul  2 10:52:33 ls04 MailScanner[25147]: Filename Checks: Allowing
n62EqVIg027437 msg-25147-33.txt
Jul  2 10:52:33 ls04 MailScanner[25147]: Filetype Checks: No
executables (n62EqVIg027437 msg-25147-33.txt)
Jul  2 10:52:33 ls04 MailScanner[25147]: Filetype Mime Checks:
Allowing n62EqVIg027437 msg-25147-33.txt
Jul  2 10:52:38 ls04 MailScanner[25147]: Saved infected
"msg-25147-33.txt" to
/var/spool/MailScanner/quarantine/20090702/n62EqVIg027437

So, do we have to drop the filetype rule for executables and go with
the MIME rules only?  That doesn't seem to detect all executable
formats, often coming up with
application/octet-stream; charset=binary, which is pretty generic,
instead of executable.

Suggestions?

More information about the MailScanner mailing list