Filetype Checks: No executables on Japanese/Hungarian Emails
Csillag Tamas
cstamas at digitus.itk.ppke.hu
Wed Dec 29 17:49:46 GMT 2010
Hi all,
I recently realized that we have a same problem with Hungarian
characters (sorry it was already top-posted and mangled message so one
need to read the quoted text below to recall all).
If the mail start with the char "é" then the mail is quarantined as a
DOS executable. (Maybe file is right its a 8bit high thing.)
According to this thread I replying to MIME checking aka. "file -i"
can be the solution.
I am using MailScanner version 4.81.4 and use the recommended line in
filetype.rules.conf:
allow - text/plain - -
and this line even matches, but it seems to me that normal "file"
(without i) checks has already taken place and blocked the attachment.
Here is the log:
Dec 29 18:15:59 host1 MailScanner[32316]: Using locktype = posix
Dec 29 18:15:59 host1 MailScanner[30901]: Filetype Checks: No executables (1PXzcx-0008PH-CY msg-30901-1.txt)
Dec 29 18:15:59 host1 MailScanner[30901]: Filetype Checks: Allowing 1PXzcx-0008PH-CY msg-30901-1.txt
Dec 29 18:15:59 host1 MailScanner[30901]: Other Checks: Found 1 problems
Dec 29 18:15:59 host1 MailScanner[30901]: Virus and Content Scanning: Starting
Dec 29 18:15:59 host1 MailScanner[32384]: Read 5278 hostnames from the phishing blacklists
Dec 29 18:15:59 host1 MailScanner[32384]: Config: calling custom init function RelayDB
Dec 29 18:15:59 host1 MailScanner[32384]: Starting: export blacklisted addresses
Dec 29 18:15:59 host1 MailScanner[30901]: Virus Scanning completed at 21232 bytes per second
Dec 29 18:15:59 host1 MailScanner[30901]: Saved entire message to /var/spool/MailScanner/quarantine/20101229/1PXzcx-0008PH-CY
Dec 29 18:16:00 host1 MailScanner[30901]: Saved infected "msg-30901-1.txt" to /var/spool/MailScanner/quarantine/20101229/1PXzcx-0008PH-CY
Dec 29 18:16:00 host1 MailScanner[30901]: Spam Checks: Starting
Dec 29 18:16:00 host1 MailScanner[30901]: Spam Checks completed at 3728 bytes per second
Dec 29 18:16:00 host1 MailScanner[30901]: Cleaned: Delivered 1 cleaned messages
Can you please help me out here, Jules?
Thanks in advance!
Regards,
CSILLAG Tamas (cstamas)
On Thu, Jun 03, 2010 at 09:49:55AM +0100, Julian Field wrote:
> What did "file -i" on the msg*.txt file produce? If it's something nice
> like text/plain then
> allow - text/plain - -
> should do the trick.
>
> On 03/06/2010 00:13, Peter Ong wrote:
>> Hmm... I thought this worked, but it is not.
>>
>> p
>> ----- Original Message -----
>>
>>
>>> From: "Peter Ong"<peter.ong at hypermediasystems.com>
>>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
>>> Sent: Wednesday, June 2, 2010 3:50:31 PM
>>> Subject: Re: Filetype Checks: No executables on Japanese Emails
>>>
>>> I was going to add the -i too, but then I saw this:
>>>
>>> #
>>> # NOTE: Fields are separated by TAB characters --- Important!
>>> #
>>> # Syntax is allow/deny/deny+delete/email-addresses, then regular
>>> expression,
>>> # then log text, then user report text.
>>> #
>>> # The "email-addresses" can be a space or comma-separated list of
>>> email
>>> # addresses. If the rule hits, the message will be sent to these
>>> address(es)
>>> # instead of the original recipients.
>>> #
>>> # If none of the rules match, then the filetype is allowed.
>>> #
>>> # An optional fifth field can also be added before the "log text",
>>> which
>>> # makes the checked text check against the MIME type of the attachment
>>> # as determined by the output of the "file -i" command.
>>>
>>>
>>> So, I just did this...
>>>
>>> allow - text - -
>>> #EXAMPLE: deny - x-dosexec No DOS executables No DOS
>>> programs allowed
>>> deny - x-dosexec No DOS executables No DOS
>>> programs allowed
>>>
>>>
>>> ----- Original Message -----
>>>
>>>
>>>> From: "Alex Broens"<ms-list at alexb.ch>
>>>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
>>>> Sent: Wednesday, June 2, 2010 2:03:46 PM
>>>> Subject: Re: Filetype Checks: No executables on Japanese Emails
>>>>
>>>> On 2010-06-02 20:50, Peter Ong wrote:
>>>>
>>>>> Actually, I just figured it out. I looked in the filetyperules
>>>>>
>>> file
>>>
>>>>> and the description gave me a clue of what to do. It worked.
>>>>>
>>>>> But yes, it's the first two bytes. I know only by man file. Hehehe
>>>>>
>>>> My users get lots of these
>>>>
>>>> File Command = /usr/bin/file -i
>>>>
>>>> ( -i, --mime output mime type strings)
>>>>
>>>>
>>>> fixed it elegantly without touching the magic strings.
>>>> (thanks to a hint from the list archive)
>>>>
>>>> h2h
>>>>
>>>> Alex
>>>>
>>>>
>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>>
>>>>>> From: "Alex Neuman"<alex at rtpty.com> To: "MailScanner discussion"
>>>>>> <mailscanner at lists.mailscanner.info> Sent: Wednesday, June 2,
>>>>>>
>>> 2010
>>>
>>>>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
>>>>>> Japanese Emails
>>>>>>
>>>>>> Can you tell which are the two bytes it thinks are indicators of
>>>>>>
>>> a
>>>
>>>>>> DOS COM file and fix the magic file?
>>>>>>
>>>>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
>>>>>>
>>>>>>
>>>>>>> Hello Everyone,
>>>>>>>
>>>>>>> How does one configure MailScanner such that this does not
>>>>>>>
>>> occur?
>>>
>>>>>>>
>>>>>> Allow me to explain. The output below is the product of
>>>>>> /usr/bin/file. I like this feature because it let's us discover
>>>>>>
>>>> the
>>>>
>>>>>> type of the file even if it is renamed to .txt. However, some
>>>>>> Japanese emails when they are written a certain way cause this:
>>>>>>
>>>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
>>>>>>> No
>>>>>>>
>>>>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
>>>>>>
>>>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Saved entire
>>>>>>> message
>>>>>>>
>>>>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>>>>
>>>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Saved infected
>>>>>>>
>>>>>> "msg-27972-9.txt" to
>>>>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>>>>
>>>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Requeue:
>>>>>>>
>>>>>> CBD9757287.ACE77 to 75104572B2
>>>>>>
>>>>>>> What happens is the file named message will be quarantined along
>>>>>>>
>>>>>> with msg-27972-9.txt which is actually the same message. When I
>>>>>>
>>>> run
>>>>
>>>>>> /usr/bin/file on "message" it tells me it's an email text
>>>>>>
>>>> message.
>>>>
>>>>>> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
>>>>>> file. The /usr/bin/file command decides the filetype by looking
>>>>>>
>>> at
>>>
>>>>>> the first 2 bytes of the file. To mitigate this, I have told
>>>>>>
>>> users
>>>
>>>>>> to type an empty line or two blank spaces before they begin their
>>>>>> japanese emails. However, this is not a graceful solution. Would
>>>>>> anyone have a better suggestion? Thank you.
--
CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas
I have never left my schooling interfere with my education.
-- Mark Twain
More information about the MailScanner
mailing list