Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename
rules?
Alex Crow
alex at nanogherkin.com
Thu Aug 5 19:55:12 IST 2010
On 05/08/10 19:33, Jules Field wrote:
>
>
> On 05/08/2010 19:26, Alex Crow wrote:
>> On 05/08/10 19:06, Jules Field wrote:
>>> That is entirely as expected, due to the rule
>>>
>>> # Allow repeated file extension, e.g. blah.zip.zip
>>> allow (\.[a-z0-9]{3})\1$ - -
>>>
>>> which appears before the double-extension-check rule, as it causes
>>> it to allow files where people have accidentally doubled up the same
>>> extension.
>>>
>>> Jules.
>>>
>> Dear Jules,
>>
>> The trouble is, I also had this with a test such as "<some random ssl
>> cert>.crt.txt", which is certainly not repeated.
> Yes, but .txt is probably allowed by a rule further up in the table.
>> In fact, I've tried so many combinations and none of them have ever
>> been flagged (unless they've had exe or dll or the like in there
>> somewhere, when they don't trigger on the multiple extension but
>> instead on executable content.)
>>
>> I will try disabling the "repeat" rule and see what happens anyway.
> Give that a try. If you still can't get "foobar.abc.abc" stopped, then
> give me a shout and I'll take a look.
>
> Jules
>
Dear Jules,
For the sake of eliminating screwups on my part, I also changed the
MailScanner.conf to look at filename.rules.conf directly before I did
the following:
I commented out the repeated extension rule in the filename.rules.conf
and sent an attachment "fintest.doc.rtf.txt" and it was accepted as
follows (some info obscured of course):
Aug 5 19:43:06 mail04 postfix/cleanup[5318]: 336A82AB0117:
message-id=<4C5B0617.7000903 at gfasf.dajh9ad.did>
Aug 5 19:43:06 mail04 postfix/smtpd[5315]: disconnect from
unknown[192.168.20.52]
Aug 5 19:43:06 mail04 MailScanner[5013]: New Batch: Scanning 1
messages, 6083596 bytes
Aug 5 19:43:07 mail04 MailScanner[5013]: Filename Checks: Allowing
336A82AB0117.AE09B fintest.doc.rtf.txt
Aug 5 19:43:07 mail04 MailScanner[5013]: Filename Checks: Allowing
336A82AB0117.AE09B msg-5013-3.txt
Aug 5 19:43:07 mail04 MailScanner[5013]: Filetype Checks: Allowing
336A82AB0117.AE09B msg-5013-3.txt
Aug 5 19:43:07 mail04 MailScanner[5013]: Filetype Checks: Allowing
336A82AB0117.AE09B fintest.doc.rtf.txt
But strangely, the original filename I quoted to you /was/ quarantined,
under the same configuration (repeated and confirmed just now):
Aug 5 19:36:58 mail04 MailScanner[5013]: Filename Checks: Found
possible filename hiding (B51322AB0117.AC83F fintest.doc.rtf.txt.doc.doc)
Aug 5 19:36:58 mail04 MailScanner[5013]: Filetype Checks: Allowing
B51322AB0117.AC83F fintest.doc.rtf.txt.doc.doc
Aug 5 19:36:59 mail04 MailScanner[5013]: Saved infected
"fintest.doc.rtf.txt.doc.doc" to
/var/spool/MailScanner/quarantine/20100805/B51322AB0117.AC83F
Aug 5 19:50:35 mail04 MailScanner[4999]: New Batch: Scanning 1
messages, 6083615 bytes
Aug 5 19:50:35 mail04 MailScanner[4999]: Filename Checks: Found
possible filename hiding (38BC02AB0117.AB918 fintest.doc.rtf.txt.doc.doc)
Aug 5 19:50:35 mail04 MailScanner[4999]: Filename Checks: Allowing
38BC02AB0117.AB918 msg-4999-1.txt
Aug 5 19:50:35 mail04 MailScanner[4999]: Filetype Checks: Allowing
38BC02AB0117.AB918 fintest.doc.rtf.txt.doc.doc
Aug 5 19:50:35 mail04 MailScanner[4999]: Filetype Checks: Allowing
38BC02AB0117.AB918 msg-4999-1.txt
Aug 5 19:50:35 mail04 MailScanner[4999]: Other Checks: Found 1 problems
Aug 5 19:50:35 mail04 MailScanner[4999]: Virus and Content Scanning:
Starting
Aug 5 19:50:35 mail04 MailScanner[4999]: Saved entire message to
/var/spool/MailScanner/quarantine/20100805/38BC02AB0117.AB918
Aug 5 19:50:36 mail04 postfix/pickup[4885]: 374ED2AB0124: uid=**
from=<asdasd at ifafafafafk>
Aug 5 19:50:36 mail04 postfix/cleanup[5353]: 374ED2AB0124: hold: header
Received: by mail0asdfafaf (Postfix, from userid fasdads)??id
374ED2AB0124; Thu, 5 Aug 2010 19:50:36 +0100 (BST) from local;
from=<raft at asdoj.cmas>
Aug 5 19:50:36 mail04 postfix/cleanup[5353]: 374ED2AB0124:
message-id=<20100805185036.374ED2AB0124 at sdgs.fjioa>
Aug 5 19:50:36 mail04 MailScanner[4999]: Saved infected
"fintest.doc.rtf.txt.doc.doc" to
/var/spool/MailScanner/quarantine/20100805/38BC02AB0117.AB918
So there is definitely something amiss in at least my installation of
MailScanner. I have no idea why this should be!
Cheers
Alex
More information about the MailScanner
mailing list