Russian Text = Executable?

Richard Bollinger rabollinger at gmail.com
Fri Jul 3 19:18:47 IST 2009 

On Fri, Jul 3, 2009 at 4:01 AM, Glenn Steen<glenn.steen at gmail.com> wrote:
> 2009/7/2 Richard Bollinger <rabollinger at gmail.com>:
>> Running MailScanner version 4.74.16, file-5.03
>>
>> When our russian employee attempts to email his associates, the text
>> portion of his email is interpreted by the file command as
>>    msg-15166-15.txt: DOS executable (COM)
>> # grep msg-15166-15 /var/adm/maillog
>> Jul  2 08:40:53 ls04 MailScanner[15166]: Filename Checks: Allowing
>> n62Cd5xN017134 msg-15166-15.txt
>> Jul  2 08:40:53 ls04 MailScanner[15166]: Filetype Checks: No
>> executables (n62Cd5xN017134 msg-15166-15.txt)
>> Jul  2 08:41:01 ls04 MailScanner[15166]: Saved infected
>> "msg-15166-15.txt" to
>> /var/spool/MailScanner/quarantine/20090702/n62Cd5xN017134
>>
>> Fine... I read the mailing list notes and docs which say file -i
>> should work better... and it does:
>>    msg-15166-15.txt: text/plain; charset=iso-8859-1
>>
>> So I inserted a rule to match that in filetypes.rules.conf like so
>> --- filetype.rules.conf.FCS     2008-03-12 05:50:04.000000000 -0400
>> +++ filetype.rules.conf 2009-07-02 11:18:38.000000000 -0400
>> @@ -18,6 +18,7 @@
>>  allow  \bscript        -                       -
>>  allow  archive         -                       -
>>  allow  postscript      -                       -
>> +allow  -       iso-8859-1      -       -
>>  deny   self-extract    No self-extracting archives     No
>> self-extracting archives allowed
>>  deny   executable      No executables          No programs allowed
>>  #EXAMPLE: deny -       x-dosexec       No DOS executables      No DOS
>> programs allowed
>>
>> But apparently MIME rules in the filetype.rules.conf files aren't
>> really checked in order as one might expect... so its still getting
>> blocked:
>> # grep msg-25147-33 /var/adm/maillog
>> Jul  2 10:52:33 ls04 MailScanner[25147]: Filename Checks: Allowing
>> n62EqVIg027437 msg-25147-33.txt
>> Jul  2 10:52:33 ls04 MailScanner[25147]: Filetype Checks: No
>> executables (n62EqVIg027437 msg-25147-33.txt)
>> Jul  2 10:52:33 ls04 MailScanner[25147]: Filetype Mime Checks:
>> Allowing n62EqVIg027437 msg-25147-33.txt
>> Jul  2 10:52:38 ls04 MailScanner[25147]: Saved infected
>> "msg-25147-33.txt" to
>> /var/spool/MailScanner/quarantine/20090702/n62EqVIg027437
>>
>> So, do we have to drop the filetype rule for executables and go with
>> the MIME rules only?  That doesn't seem to detect all executable
>> formats, often coming up with
>> application/octet-stream; charset=binary, which is pretty generic,
>> instead of executable.
>>
>> Suggestions?
>
> A) replace your file package with one were the overoptimistic
> one-byte-magics isn't present (if available, that is).
> B) Edit your magic file(s) and manually remove/comment the offending
> magic lines, then "recompile" it with "file -C".
> C) Switch to file -i
> Dreary, but ... there it is.
>
> Cheers
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner--- >
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

Here's the patch I applied:
--- ../msdos.FCS        2009-07-03 13:55:06.000000000 -0400
+++ file-5.03/magic/Magdir/msdos        2009-07-03 14:05:25.000000000 -0400
@@ -286,7 +286,7 @@
 # but it isn't feasible to match all COM files since there must be at least
 # two dozen different one-byte "magics".
 # test too generic ?
-0      byte            0xe9            DOS executable (COM)
+##0    byte            0xe9            DOS executable (COM)
 >0x1FE leshort         0xAA55          \b, boot code
 >6     string          SFX\ of\ LHarc  (%s)
 0      belong  0xffffffff              DOS executable (device driver)
@@ -311,13 +311,13 @@
 >>>77  string  <\x5B
 >>>>77 string  x                       \b, name: %.8s
 # test too generic ?
-0      byte            0x8c            DOS executable (COM)
+##0    byte            0x8c            DOS executable (COM)
 # updated by Joerg Jenderek at Oct 2008
 0      ulelong         0xffff10eb      DR-DOS executable (COM)
 # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
 0      ubeshort&0xeb8d >0xeb00
 # DR-DOS STACKER.COM SCREATE.SYS missed
->0     byte            0xeb            DOS executable (COM)
+##>0   byte            0xeb            DOS executable (COM)
 >>0x1FE leshort                0xAA55          \b, boot code
 >>85   string          UPX             \b, UPX compressed
 >>4    string          \ $ARX          \b, ARX self-extracting archive

More information about the MailScanner mailing list