Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename
rules?
Jules Field
MailScanner at ecs.soton.ac.uk
Thu Aug 5 19:06:45 IST 2010
That is entirely as expected, due to the rule
# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$ - -
which appears before the double-extension-check rule, as it causes it to
allow files where people have accidentally doubled up the same extension.
Jules.
On 05/08/2010 18:10, Alex Crow wrote:
> All,
>
> I have installed from the RPM-based installer on the MailScanner site
> (together with the ClamAV/SpamAssassin easy-install package CA:0.96.1
> SA:3.31) and the filename rules seem to be ignored. I sent through an
> attachement named "fintest.doc.rtf.txt.doc.doc" and the log showed
> they were allowed:
>
>
> Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing
> 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc
> Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing
> 00B222AB0117.AC992 msg-29674-6.txt
> Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing
> 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc
> Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing
> 00B222AB0117.AC992 msg-29674-6.txt
>
> Here are the pertinent entries in my config files:
>
> MailScanner.conf:
> Filename Rules = %etc-dir%/filename.rules
>
> filename.rules:
> From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf
> FromOrTo: default /etc/MailScanner/filename.rules.conf
>
> filename.rules.allowall.conf:
> allow .* - -
>
> filename.rules.conf:
> #
> # NOTE: Fields are separated by TAB characters --- Important!
> #
> # Syntax is allow/deny/deny+delete/email-addresses, then regular
> expression,
> # then log text, then user report text.
> #
> # The "email-addresses" can be a space or comma-separated list of email
> # addresses. If the rule hits, the message will be sent to these
> address(es)
> # instead of the original recipients.
>
> # Due to a bug in Outlook Express, you can make the 2nd from last
> extension
> # be what is used to run the file. So very long filenames must be denied,
> # regardless of the final extension.
> deny .{150,} Very long filename, possible OE
> attack Very long filenames
> are good signs of attacks against Microsoft e-mail packages
>
> # JKF 10/08/2007 Adobe Acrobat nastiness
> deny \.fdf$ Dangerous Adobe Acrobat
> data-file Opening this
> file can cause auto-loading of any file from the internet
>
> # JKF 04/01/2005 More Microsoft security vulnerabilities
> deny \.ico$ Windows icon file security
> vulnerability Possible buffer
> overflow in Windows
> deny \.ani$ Windows animated cursor file security
> vulnerability Possible buffer overflow in
> Windows
> deny \.cur$ Windows cursor file security
> vulnerability Possible buffer
> overflow in Windows
> deny \.hlp$ Windows help file security
> vulnerability Possible buffer
> overflow in Windows
> deny \.wri$ Windows wordpad file security
> vulnerability Possible buffer
> overflow in Windows
>
>
> # These are some well known viruses.
> deny pretty\s+park\.exe$ "Pretty Park"
> virus
> "Pretty Park" virus
> deny happy99\.exe$ "Happy"
> virus "Happy"
> virus
> deny \.ceo$ WinEvar virus
> attachment
> Often used by the WinEvar virus
> deny webpage\.rar$ I-Worm.Yanker virus
> attachment Often used
> by the I-Worm.Yanker virus
> deny your_.*\.zip "W32/SoBig.E"
> virus
> "W32/SoBig" virus
> deny message\.zip "W32/Mimail.A"
> virus
> "W32/Mimail" virus
>
> # JKF 08/07/2005 Several virus scanners may miss this one
> deny \.cab$ Possible malicious Microsoft cabinet
> file Cabinet files may hide viruses
>
> # These are in the archives which are Microsoft Office 2007 files
> (e.g. docx)
> allow \.xml\d*\.rel$ - -
> allow \.x\d+\.rel$ - -
> allow \.rtf$ - -
>
> # These are known to be mostly harmless.
> allow \.odt$ - -
> allow \.ods$ - -
> allow \.odp$ - -
> allow \.jpg$ - -
> allow \.gif$ - -
> # .url is arguably dangerous, but I can't just ban it...
> allow \.url$ - -
> allow \.vcf$ - -
> allow \.txt$ - -
> allow \.zip$ - -
> allow \.t?gz$ - -
> allow \.bz2$ - -
> allow \.Z$ - -
> allow \.rpm$ - -
> # PGP and GPG
> allow \.gpg$ - -
> allow \.pgp$ - -
> allow \.sig$ - -
> allow \.asc$ - -
> # Macintosh archives
> allow \.hqx$ - -
> allow \.sit.bin$ - -
> allow \.sea$ - -
>
> # these are sent by our users all of the time.
> allow \.pdf$ - -
> allow \.doc$ - -
> allow \.xls$ - -
>
> # These are known to be dangerous in almost all cases.
> deny \.reg$ Possible Windows registry
> attack Windows registry
> entries are very dangerous in email
> deny \.chm$ Possible compiled Help file-based
> virus Compiled help files are
> very dangerous in email
> # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for
> more info.
> deny \.cnf$ Possible SpeedDial
> attack
> SpeedDials are very dangerous in email
> deny \.hta$ Possible Microsoft HTML archive
> attack HTML archives are very
> dangerous in email
> deny \.ins$ Possible Microsoft Internet Comm. Settings
> attack Windows Internet Settings are
> dangerous in email
> deny \.jse?$ Possible Microsoft JScript
> attack JScript Scripts
> are dangerous in email
> deny \.job$ Possible Microsoft Task Scheduler
> attack Task Scheduler requests
> are dangerous in email
> deny \.lnk$ Possible Eudora *.lnk security hole
> attack Eudora *.lnk security hole
> attack
> deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut
> attack Microsoft Access Shortcuts are
> dangerous in email
> deny \.pif$ Possible MS-Dos program shortcut
> attack Shortcuts to MS-Dos
> programs are very dangerous in email
> deny \.scf$ Possible Windows Explorer Command
> attack Windows Explorer
> Commands are dangerous in email
> deny \.sct$ Possible Microsoft Windows Script Component
> attack Windows Script Components are
> dangerous in email
> deny \.shb$ Possible document shortcut
> attack Shortcuts Into
> Documents are very dangerous in email
> deny \.shs$ Possible Shell Scrap Object
> attack Shell Scrap
> Objects are very dangerous in email
> deny \.vb[es]$ Possible Microsoft Visual Basic script
> attack Visual Basic Scripts are
> dangerous in email
> deny \.ws[cfh]$ Possible Microsoft Windows Script Host
> attack Windows Script Host files are
> dangerous in email
> deny \.xnk$ Possible Microsoft Exchange Shortcut
> attack Microsoft Exchange
> Shortcuts are dangerous in email
>
> # These are new dangerous attachment types according to Microsoft in
> # http://support.microsoft.com/?kbid=883260
> deny \.cer$ Dangerous Security Certificate (according to
> Microsoft) Dangerous attachment according to
> Microsoft Q883260
> deny \.its$ Dangerous Internet Document Set (according to
> Microsoft) Dangerous attachment according to
> Microsoft Q883260
> deny \.mau$ Dangerous attachment type (according to
> Microsoft) Dangerous attachment according
> to Microsoft Q883260
> deny \.md[az]$ Dangerous attachment type (according to
> Microsoft) Dangerous attachment according
> to Microsoft Q883260
> deny \.prf$ Dangerous Outlook Profile Settings (according
> to Microsoft) Dangerous attachment according to
> Microsoft Q883260
> deny \.pst$ Dangerous Office Data File (according to
> Microsoft) Dangerous attachment according
> to Microsoft Q883260
> #deny \.tmp$ Dangerous Temporary File (according to
> Microsoft) Dangerous attachment
> according to Microsoft Q883260
> deny \.vsmacros$ Dangerous Visual Studio Macros (according to
> Microsoft) Dangerous attachment according to
> Microsoft Q883260
> deny \.vs[stw]$ Dangerous attachment type (according to
> Microsoft) Dangerous attachment according
> to Microsoft Q883260
> deny \.ws$ Dangerous Windows Script (according to
> Microsoft) Dangerous attachment
> according to Microsoft Q883260
>
>
> # These 2 added by popular demand - Very often used by viruses
> deny \.com$ Windows/DOS
> Executable
> Executable DOS/Windows programs are dangerous in email
> deny \.exe$ Windows/DOS
> Executable
> Executable DOS/Windows programs are dangerous in email
>
> # These are very dangerous and have been used to hide viruses
> deny \.scr$ Possible virus hidden in a
> screensaver Windows
> Screensavers are often used to hide viruses
> deny \.bat$ Possible malicious batch file
> script Batch files are
> often malicious
> deny \.cmd$ Possible malicious batch file
> script Batch files are
> often malicious
> deny \.cpl$ Possible malicious control panel
> item Control panel items are
> often used to hide viruses
> deny \.mhtml$ Possible Eudora meta-refresh
> attack MHTML files can be
> used in an attack against Eudora
>
> # Deny filenames containing CLSID's
> deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real
> type Files containing CLSID's are trying to
> hide their real type
>
> # Deny filenames with lots of contiguous white space in them.
> deny \s{10,} Filename contains lots of white
> space A long gap in a name
> is often used to hide part of it
>
> # Allow repeated file extension, e.g. blah.zip.zip
> allow (\.[a-z0-9]{3})\1$ - -
>
> # Allow days of the week and months in doc names, e.g. blah.wed.doc
> allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -
> allow
> \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$
> - -
>
> # Deny all other double file extensions. This catches any hidden
> filenames.
> deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible
> filename hiding Attempt to hide real filename
> extension
>
> Is anyone at all able to help me?
>
> Best regards
>
> Alex
>
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list