Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules?
Alex Crow
alex at nanogherkin.com
Thu Aug 5 18:10:16 IST 2010
All,
I have installed from the RPM-based installer on the MailScanner site
(together with the ClamAV/SpamAssassin easy-install package CA:0.96.1
SA:3.31) and the filename rules seem to be ignored. I sent through an
attachement named "fintest.doc.rtf.txt.doc.doc" and the log showed they
were allowed:
Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing
00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc
Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing
00B222AB0117.AC992 msg-29674-6.txt
Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing
00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc
Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing
00B222AB0117.AC992 msg-29674-6.txt
Here are the pertinent entries in my config files:
MailScanner.conf:
Filename Rules = %etc-dir%/filename.rules
filename.rules:
From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf
FromOrTo: default /etc/MailScanner/filename.rules.conf
filename.rules.allowall.conf:
allow .* - -
filename.rules.conf:
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular
expression,
# then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these
address(es)
# instead of the original recipients.
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE
attack Very long filenames are
good signs of attacks against Microsoft e-mail packages
# JKF 10/08/2007 Adobe Acrobat nastiness
deny \.fdf$ Dangerous Adobe Acrobat
data-file Opening this
file can cause auto-loading of any file from the internet
# JKF 04/01/2005 More Microsoft security vulnerabilities
deny \.ico$ Windows icon file security
vulnerability Possible buffer
overflow in Windows
deny \.ani$ Windows animated cursor file security
vulnerability Possible buffer overflow in
Windows
deny \.cur$ Windows cursor file security
vulnerability Possible buffer
overflow in Windows
deny \.hlp$ Windows help file security
vulnerability Possible buffer
overflow in Windows
deny \.wri$ Windows wordpad file security
vulnerability Possible buffer
overflow in Windows
# These are some well known viruses.
deny pretty\s+park\.exe$ "Pretty Park"
virus
"Pretty Park" virus
deny happy99\.exe$ "Happy"
virus
"Happy" virus
deny \.ceo$ WinEvar virus
attachment Often
used by the WinEvar virus
deny webpage\.rar$ I-Worm.Yanker virus
attachment Often used
by the I-Worm.Yanker virus
deny your_.*\.zip "W32/SoBig.E"
virus
"W32/SoBig" virus
deny message\.zip "W32/Mimail.A"
virus
"W32/Mimail" virus
# JKF 08/07/2005 Several virus scanners may miss this one
deny \.cab$ Possible malicious Microsoft cabinet
file Cabinet files may hide viruses
# These are in the archives which are Microsoft Office 2007 files (e.g.
docx)
allow \.xml\d*\.rel$ - -
allow \.x\d+\.rel$ - -
allow \.rtf$ - -
# These are known to be mostly harmless.
allow \.odt$ - -
allow \.ods$ - -
allow \.odp$ - -
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
allow \.txt$ - -
allow \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
# PGP and GPG
allow \.gpg$ - -
allow \.pgp$ - -
allow \.sig$ - -
allow \.asc$ - -
# Macintosh archives
allow \.hqx$ - -
allow \.sit.bin$ - -
allow \.sea$ - -
# these are sent by our users all of the time.
allow \.pdf$ - -
allow \.doc$ - -
allow \.xls$ - -
# These are known to be dangerous in almost all cases.
deny \.reg$ Possible Windows registry
attack Windows registry
entries are very dangerous in email
deny \.chm$ Possible compiled Help file-based
virus Compiled help files are
very dangerous in email
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more
info.
deny \.cnf$ Possible SpeedDial
attack SpeedDials
are very dangerous in email
deny \.hta$ Possible Microsoft HTML archive
attack HTML archives are very
dangerous in email
deny \.ins$ Possible Microsoft Internet Comm. Settings
attack Windows Internet Settings are
dangerous in email
deny \.jse?$ Possible Microsoft JScript
attack JScript Scripts are
dangerous in email
deny \.job$ Possible Microsoft Task Scheduler
attack Task Scheduler requests
are dangerous in email
deny \.lnk$ Possible Eudora *.lnk security hole
attack Eudora *.lnk security hole
attack
deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut
attack Microsoft Access Shortcuts are
dangerous in email
deny \.pif$ Possible MS-Dos program shortcut
attack Shortcuts to MS-Dos
programs are very dangerous in email
deny \.scf$ Possible Windows Explorer Command
attack Windows Explorer Commands
are dangerous in email
deny \.sct$ Possible Microsoft Windows Script Component
attack Windows Script Components are
dangerous in email
deny \.shb$ Possible document shortcut
attack Shortcuts Into
Documents are very dangerous in email
deny \.shs$ Possible Shell Scrap Object
attack Shell Scrap Objects
are very dangerous in email
deny \.vb[es]$ Possible Microsoft Visual Basic script
attack Visual Basic Scripts are
dangerous in email
deny \.ws[cfh]$ Possible Microsoft Windows Script Host
attack Windows Script Host files are
dangerous in email
deny \.xnk$ Possible Microsoft Exchange Shortcut
attack Microsoft Exchange Shortcuts
are dangerous in email
# These are new dangerous attachment types according to Microsoft in
# http://support.microsoft.com/?kbid=883260
deny \.cer$ Dangerous Security Certificate (according to
Microsoft) Dangerous attachment according to
Microsoft Q883260
deny \.its$ Dangerous Internet Document Set (according to
Microsoft) Dangerous attachment according to
Microsoft Q883260
deny \.mau$ Dangerous attachment type (according to
Microsoft) Dangerous attachment according
to Microsoft Q883260
deny \.md[az]$ Dangerous attachment type (according to
Microsoft) Dangerous attachment according
to Microsoft Q883260
deny \.prf$ Dangerous Outlook Profile Settings (according to
Microsoft) Dangerous attachment according to
Microsoft Q883260
deny \.pst$ Dangerous Office Data File (according to
Microsoft) Dangerous attachment according to
Microsoft Q883260
#deny \.tmp$ Dangerous Temporary File (according to
Microsoft) Dangerous attachment according
to Microsoft Q883260
deny \.vsmacros$ Dangerous Visual Studio Macros (according to
Microsoft) Dangerous attachment according to
Microsoft Q883260
deny \.vs[stw]$ Dangerous attachment type (according to
Microsoft) Dangerous attachment according
to Microsoft Q883260
deny \.ws$ Dangerous Windows Script (according to
Microsoft) Dangerous attachment according
to Microsoft Q883260
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS
Executable
Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS
Executable
Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a
screensaver Windows
Screensavers are often used to hide viruses
deny \.bat$ Possible malicious batch file
script Batch files are often
malicious
deny \.cmd$ Possible malicious batch file
script Batch files are often
malicious
deny \.cpl$ Possible malicious control panel
item Control panel items are
often used to hide viruses
deny \.mhtml$ Possible Eudora meta-refresh
attack MHTML files can be
used in an attack against Eudora
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real
type Files containing CLSID's are trying to
hide their real type
# Deny filenames with lots of contiguous white space in them.
deny \s{10,} Filename contains lots of white
space A long gap in a name is
often used to hide part of it
# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$ - -
# Allow days of the week and months in doc names, e.g. blah.wed.doc
allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -
allow
\.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$
- -
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
hiding Attempt to hide real filename extension
Is anyone at all able to help me?
Best regards
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)
More information about the MailScanner
mailing list