Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules?

Jules Field MailScanner at ecs.soton.ac.uk
Thu Aug 5 19:06:45 IST 2010


That is entirely as expected, due to the rule

# Allow repeated file extension, e.g. blah.zip.zip
allow   (\.[a-z0-9]{3})\1$      -       -

which appears before the double-extension-check rule, as it causes it to 
allow files where people have accidentally doubled up the same extension.

Jules.

On 05/08/2010 18:10, Alex Crow wrote:
> All,
>
> I have installed from the RPM-based installer on the MailScanner site 
> (together with the ClamAV/SpamAssassin easy-install package CA:0.96.1 
> SA:3.31) and the filename rules seem to be ignored. I sent through an 
> attachement named "fintest.doc.rtf.txt.doc.doc" and the log showed 
> they were allowed:
>
>
> Aug  5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing 
> 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc
> Aug  5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing 
> 00B222AB0117.AC992 msg-29674-6.txt
> Aug  5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing 
> 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc
> Aug  5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing 
> 00B222AB0117.AC992 msg-29674-6.txt
>
> Here are the pertinent entries in my config files:
>
> MailScanner.conf:
> Filename Rules = %etc-dir%/filename.rules
>
> filename.rules:
> From: 127.0.0.1   /etc/MailScanner/filename.rules.allowall.conf
> FromOrTo:   default  /etc/MailScanner/filename.rules.conf
>
> filename.rules.allowall.conf:
> allow .* -  -
>
> filename.rules.conf:
> #
> # NOTE: Fields are separated by TAB characters --- Important!
> #
> # Syntax is allow/deny/deny+delete/email-addresses, then regular 
> expression,
> #           then log text, then user report text.
> #
> # The "email-addresses" can be a space or comma-separated list of email
> # addresses. If the rule hits, the message will be sent to these 
> address(es)
> # instead of the original recipients.
>
> # Due to a bug in Outlook Express, you can make the 2nd from last 
> extension
> # be what is used to run the file. So very long filenames must be denied,
> # regardless of the final extension.
> deny    .{150,}                 Very long filename, possible OE 
> attack                                          Very long filenames 
> are good signs of attacks against Microsoft e-mail packages
>
> # JKF 10/08/2007 Adobe Acrobat nastiness
> deny    \.fdf$                  Dangerous Adobe Acrobat 
> data-file                                               Opening this 
> file can cause auto-loading of any file from the internet
>
> # JKF 04/01/2005 More Microsoft security vulnerabilities
> deny    \.ico$                  Windows icon file security 
> vulnerability                                        Possible buffer 
> overflow in Windows
> deny    \.ani$                  Windows animated cursor file security 
> vulnerability                             Possible buffer overflow in 
> Windows
> deny    \.cur$                  Windows cursor file security 
> vulnerability                                      Possible buffer 
> overflow in Windows
> deny    \.hlp$                  Windows help file security 
> vulnerability                                        Possible buffer 
> overflow in Windows
> deny    \.wri$                  Windows wordpad file security 
> vulnerability                                     Possible buffer 
> overflow in Windows
>
>
> # These are some well known viruses.
> deny    pretty\s+park\.exe$     "Pretty Park" 
> virus                                                             
> "Pretty Park" virus
> deny    happy99\.exe$           "Happy" 
> virus                                                                   "Happy" 
> virus
> deny    \.ceo$          WinEvar virus 
> attachment                                                        
> Often used by the WinEvar virus
> deny    webpage\.rar$   I-Worm.Yanker virus 
> attachment                                                  Often used 
> by the I-Worm.Yanker virus
> deny    your_.*\.zip    "W32/SoBig.E" 
> virus                                                             
> "W32/SoBig" virus
> deny    message\.zip    "W32/Mimail.A" 
> virus                                                            
> "W32/Mimail" virus
>
> # JKF 08/07/2005 Several virus scanners may miss this one
> deny    \.cab$                  Possible malicious Microsoft cabinet 
> file                                       Cabinet files may hide viruses
>
> # These are in the archives which are Microsoft Office 2007 files 
> (e.g. docx)
> allow   \.xml\d*\.rel$          -       -
> allow   \.x\d+\.rel$            -       -
> allow   \.rtf$                  -       -
>
> # These are known to be mostly harmless.
> allow   \.odt$                  -       -
> allow   \.ods$                  -       -
> allow   \.odp$                  -       -
> allow   \.jpg$                  -       -
> allow   \.gif$                  -       -
> # .url is arguably dangerous, but I can't just ban it...
> allow   \.url$                  -       -
> allow   \.vcf$                  -       -
> allow   \.txt$                  -       -
> allow   \.zip$                  -       -
> allow   \.t?gz$                 -       -
> allow   \.bz2$                  -       -
> allow   \.Z$                    -       -
> allow   \.rpm$                  -       -
> # PGP and GPG
> allow   \.gpg$                  -       -
> allow   \.pgp$                  -       -
> allow   \.sig$                  -       -
> allow   \.asc$                  -       -
> # Macintosh archives
> allow   \.hqx$                  -       -
> allow   \.sit.bin$              -       -
> allow   \.sea$                  -       -
>
> # these are sent by our users all of the time.
> allow   \.pdf$                  -       -
> allow   \.doc$                  -       -
> allow   \.xls$                  -       -
>
> # These are known to be dangerous in almost all cases.
> deny    \.reg$          Possible Windows registry 
> attack                                                Windows registry 
> entries are very dangerous in email
> deny    \.chm$          Possible compiled Help file-based 
> virus                                         Compiled help files are 
> very dangerous in email
> # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for 
> more info.
> deny    \.cnf$          Possible SpeedDial 
> attack                                                       
> SpeedDials are very dangerous in email
> deny    \.hta$          Possible Microsoft HTML archive 
> attack                                          HTML archives are very 
> dangerous in email
> deny    \.ins$          Possible Microsoft Internet Comm. Settings 
> attack                               Windows Internet Settings are 
> dangerous in email
> deny    \.jse?$         Possible Microsoft JScript 
> attack                                               JScript Scripts 
> are dangerous in email
> deny    \.job$          Possible Microsoft Task Scheduler 
> attack                                        Task Scheduler requests 
> are dangerous in email
> deny    \.lnk$          Possible Eudora *.lnk security hole 
> attack                                      Eudora *.lnk security hole 
> attack
> deny    \.ma[dfgmqrstvw]$       Possible Microsoft Access Shortcut 
> attack                               Microsoft Access Shortcuts are 
> dangerous in email
> deny    \.pif$          Possible MS-Dos program shortcut 
> attack                                         Shortcuts to MS-Dos 
> programs are very dangerous in email
> deny    \.scf$          Possible Windows Explorer Command 
> attack                                        Windows Explorer 
> Commands are dangerous in email
> deny    \.sct$          Possible Microsoft Windows Script Component 
> attack                              Windows Script Components are 
> dangerous in email
> deny    \.shb$          Possible document shortcut 
> attack                                               Shortcuts Into 
> Documents are very dangerous in email
> deny    \.shs$          Possible Shell Scrap Object 
> attack                                              Shell Scrap 
> Objects are very dangerous in email
> deny    \.vb[es]$       Possible Microsoft Visual Basic script 
> attack                                   Visual Basic Scripts are 
> dangerous in email
> deny    \.ws[cfh]$      Possible Microsoft Windows Script Host 
> attack                                   Windows Script Host files are 
> dangerous in email
> deny    \.xnk$          Possible Microsoft Exchange Shortcut 
> attack                                     Microsoft Exchange 
> Shortcuts are dangerous in email
>
> # These are new dangerous attachment types according to Microsoft in
> # http://support.microsoft.com/?kbid=883260
> deny    \.cer$          Dangerous Security Certificate (according to 
> Microsoft)                         Dangerous attachment according to 
> Microsoft Q883260
> deny    \.its$          Dangerous Internet Document Set (according to 
> Microsoft)                        Dangerous attachment according to 
> Microsoft Q883260
> deny    \.mau$          Dangerous attachment type (according to 
> Microsoft)                              Dangerous attachment according 
> to Microsoft Q883260
> deny    \.md[az]$       Dangerous attachment type (according to 
> Microsoft)                              Dangerous attachment according 
> to Microsoft Q883260
> deny    \.prf$          Dangerous Outlook Profile Settings (according 
> to Microsoft)                     Dangerous attachment according to 
> Microsoft Q883260
> deny    \.pst$          Dangerous Office Data File (according to 
> Microsoft)                             Dangerous attachment according 
> to Microsoft Q883260
> #deny   \.tmp$          Dangerous Temporary File (according to 
> Microsoft)                               Dangerous attachment 
> according to Microsoft Q883260
> deny    \.vsmacros$     Dangerous Visual Studio Macros (according to 
> Microsoft)                         Dangerous attachment according to 
> Microsoft Q883260
> deny    \.vs[stw]$      Dangerous attachment type (according to 
> Microsoft)                              Dangerous attachment according 
> to Microsoft Q883260
> deny    \.ws$           Dangerous Windows Script (according to 
> Microsoft)                               Dangerous attachment 
> according to Microsoft Q883260
>
>
> # These 2 added by popular demand - Very often used by viruses
> deny    \.com$          Windows/DOS 
> Executable                                                          
> Executable DOS/Windows programs are dangerous in email
> deny    \.exe$          Windows/DOS 
> Executable                                                          
> Executable DOS/Windows programs are dangerous in email
>
> # These are very dangerous and have been used to hide viruses
> deny    \.scr$          Possible virus hidden in a 
> screensaver                                          Windows 
> Screensavers are often used to hide viruses
> deny    \.bat$          Possible malicious batch file 
> script                                            Batch files are 
> often malicious
> deny    \.cmd$          Possible malicious batch file 
> script                                            Batch files are 
> often malicious
> deny    \.cpl$          Possible malicious control panel 
> item                                           Control panel items are 
> often used to hide viruses
> deny    \.mhtml$        Possible Eudora meta-refresh 
> attack                                             MHTML files can be 
> used in an attack against Eudora
>
> # Deny filenames containing CLSID's
> deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real 
> type                           Files containing  CLSID's are trying to 
> hide their real type
>
> # Deny filenames with lots of contiguous white space in them.
> deny    \s{10,}         Filename contains lots of white 
> space                                           A long gap in a name 
> is often used to hide part of it
>
> # Allow repeated file extension, e.g. blah.zip.zip
> allow   (\.[a-z0-9]{3})\1$      -       -
>
> # Allow days of the week and months in doc names, e.g. blah.wed.doc
> allow   \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$   -       -
> allow   
> \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$        
> -       -
>
> # Deny all other double file extensions. This catches any hidden 
> filenames.
> deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible 
> filename hiding                          Attempt to hide real filename 
> extension
>
> Is anyone at all able to help me?
>
> Best regards
>
> Alex
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list