Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules?

Alex Crow alex at nanogherkin.com
Thu Aug 5 19:55:12 IST 2010 

On 05/08/10 19:33, Jules Field wrote:
>
>
> On 05/08/2010 19:26, Alex Crow wrote:
>> On 05/08/10 19:06, Jules Field wrote:
>>> That is entirely as expected, due to the rule
>>>
>>> # Allow repeated file extension, e.g. blah.zip.zip
>>> allow   (\.[a-z0-9]{3})\1$      -       -
>>>
>>> which appears before the double-extension-check rule, as it causes 
>>> it to allow files where people have accidentally doubled up the same 
>>> extension.
>>>
>>> Jules.
>>>
>> Dear Jules,
>>
>> The trouble is, I also had this with a test such as "<some random ssl 
>> cert>.crt.txt", which is certainly not repeated.
> Yes, but .txt is probably allowed by a rule further up in the table.
>> In fact, I've tried so many combinations and none of them have ever 
>> been flagged (unless they've had exe or dll or the like in there 
>> somewhere, when they don't trigger on the multiple extension but 
>> instead on executable content.)
>>
>> I will try disabling the "repeat" rule and see what happens anyway.
> Give that a try. If you still can't get "foobar.abc.abc" stopped, then 
> give me a shout and I'll take a look.
>
> Jules
>

Dear Jules,

For the sake of eliminating screwups on my part, I also changed the 
MailScanner.conf to look at filename.rules.conf directly before I did 
the following:

I commented out the repeated extension rule in the filename.rules.conf 
and sent an attachment "fintest.doc.rtf.txt" and it was accepted as 
follows (some info obscured of course):

Aug  5 19:43:06 mail04 postfix/cleanup[5318]: 336A82AB0117: 
message-id=<4C5B0617.7000903 at gfasf.dajh9ad.did>
Aug  5 19:43:06 mail04 postfix/smtpd[5315]: disconnect from 
unknown[192.168.20.52]
Aug  5 19:43:06 mail04 MailScanner[5013]: New Batch: Scanning 1 
messages, 6083596 bytes
Aug  5 19:43:07 mail04 MailScanner[5013]: Filename Checks: Allowing 
336A82AB0117.AE09B fintest.doc.rtf.txt
Aug  5 19:43:07 mail04 MailScanner[5013]: Filename Checks: Allowing 
336A82AB0117.AE09B msg-5013-3.txt
Aug  5 19:43:07 mail04 MailScanner[5013]: Filetype Checks: Allowing 
336A82AB0117.AE09B msg-5013-3.txt
Aug  5 19:43:07 mail04 MailScanner[5013]: Filetype Checks: Allowing 
336A82AB0117.AE09B fintest.doc.rtf.txt

But strangely, the original filename I quoted to you /was/ quarantined, 
under the same configuration (repeated and confirmed just now):

Aug  5 19:36:58 mail04 MailScanner[5013]: Filename Checks: Found 
possible filename hiding (B51322AB0117.AC83F fintest.doc.rtf.txt.doc.doc)
Aug  5 19:36:58 mail04 MailScanner[5013]: Filetype Checks: Allowing 
B51322AB0117.AC83F fintest.doc.rtf.txt.doc.doc
Aug  5 19:36:59 mail04 MailScanner[5013]: Saved infected 
"fintest.doc.rtf.txt.doc.doc" to 
/var/spool/MailScanner/quarantine/20100805/B51322AB0117.AC83F

Aug  5 19:50:35 mail04 MailScanner[4999]: New Batch: Scanning 1 
messages, 6083615 bytes
Aug  5 19:50:35 mail04 MailScanner[4999]: Filename Checks: Found 
possible filename hiding (38BC02AB0117.AB918 fintest.doc.rtf.txt.doc.doc)
Aug  5 19:50:35 mail04 MailScanner[4999]: Filename Checks: Allowing 
38BC02AB0117.AB918 msg-4999-1.txt
Aug  5 19:50:35 mail04 MailScanner[4999]: Filetype Checks: Allowing 
38BC02AB0117.AB918 fintest.doc.rtf.txt.doc.doc
Aug  5 19:50:35 mail04 MailScanner[4999]: Filetype Checks: Allowing 
38BC02AB0117.AB918 msg-4999-1.txt
Aug  5 19:50:35 mail04 MailScanner[4999]: Other Checks: Found 1 problems
Aug  5 19:50:35 mail04 MailScanner[4999]: Virus and Content Scanning: 
Starting
Aug  5 19:50:35 mail04 MailScanner[4999]: Saved entire message to 
/var/spool/MailScanner/quarantine/20100805/38BC02AB0117.AB918
Aug  5 19:50:36 mail04 postfix/pickup[4885]: 374ED2AB0124: uid=** 
from=<asdasd at ifafafafafk>
Aug  5 19:50:36 mail04 postfix/cleanup[5353]: 374ED2AB0124: hold: header 
Received: by mail0asdfafaf (Postfix, from userid fasdads)??id 
374ED2AB0124; Thu,  5 Aug 2010 19:50:36 +0100 (BST) from local; 
from=<raft at asdoj.cmas>
Aug  5 19:50:36 mail04 postfix/cleanup[5353]: 374ED2AB0124: 
message-id=<20100805185036.374ED2AB0124 at sdgs.fjioa>
Aug  5 19:50:36 mail04 MailScanner[4999]: Saved infected 
"fintest.doc.rtf.txt.doc.doc" to 
/var/spool/MailScanner/quarantine/20100805/38BC02AB0117.AB918

So there is definitely something amiss in at least my installation of 
MailScanner. I have no idea why this should be!

Cheers

Alex

More information about the MailScanner mailing list