Russian Text = Executable?

Glenn Steen glenn.steen at gmail.com
Fri Jul 3 09:01:25 IST 2009 

2009/7/2 Richard Bollinger <rabollinger at gmail.com>:
> Running MailScanner version 4.74.16, file-5.03
>
> When our russian employee attempts to email his associates, the text
> portion of his email is interpreted by the file command as
>    msg-15166-15.txt: DOS executable (COM)
> # grep msg-15166-15 /var/adm/maillog
> Jul  2 08:40:53 ls04 MailScanner[15166]: Filename Checks: Allowing
> n62Cd5xN017134 msg-15166-15.txt
> Jul  2 08:40:53 ls04 MailScanner[15166]: Filetype Checks: No
> executables (n62Cd5xN017134 msg-15166-15.txt)
> Jul  2 08:41:01 ls04 MailScanner[15166]: Saved infected
> "msg-15166-15.txt" to
> /var/spool/MailScanner/quarantine/20090702/n62Cd5xN017134
>
> Fine... I read the mailing list notes and docs which say file -i
> should work better... and it does:
>    msg-15166-15.txt: text/plain; charset=iso-8859-1
>
> So I inserted a rule to match that in filetypes.rules.conf like so
> --- filetype.rules.conf.FCS     2008-03-12 05:50:04.000000000 -0400
> +++ filetype.rules.conf 2009-07-02 11:18:38.000000000 -0400
> @@ -18,6 +18,7 @@
>  allow  \bscript        -                       -
>  allow  archive         -                       -
>  allow  postscript      -                       -
> +allow  -       iso-8859-1      -       -
>  deny   self-extract    No self-extracting archives     No
> self-extracting archives allowed
>  deny   executable      No executables          No programs allowed
>  #EXAMPLE: deny -       x-dosexec       No DOS executables      No DOS
> programs allowed
>
> But apparently MIME rules in the filetype.rules.conf files aren't
> really checked in order as one might expect... so its still getting
> blocked:
> # grep msg-25147-33 /var/adm/maillog
> Jul  2 10:52:33 ls04 MailScanner[25147]: Filename Checks: Allowing
> n62EqVIg027437 msg-25147-33.txt
> Jul  2 10:52:33 ls04 MailScanner[25147]: Filetype Checks: No
> executables (n62EqVIg027437 msg-25147-33.txt)
> Jul  2 10:52:33 ls04 MailScanner[25147]: Filetype Mime Checks:
> Allowing n62EqVIg027437 msg-25147-33.txt
> Jul  2 10:52:38 ls04 MailScanner[25147]: Saved infected
> "msg-25147-33.txt" to
> /var/spool/MailScanner/quarantine/20090702/n62EqVIg027437
>
> So, do we have to drop the filetype rule for executables and go with
> the MIME rules only?  That doesn't seem to detect all executable
> formats, often coming up with
> application/octet-stream; charset=binary, which is pretty generic,
> instead of executable.
>
> Suggestions?

A) replace your file package with one were the overoptimistic
one-byte-magics isn't present (if available, that is).
B) Edit your magic file(s) and manually remove/comment the offending
magic lines, then "recompile" it with "file -C".
C) Switch to file -i
Dreary, but ... there it is.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list