Filetype Checks: No executables on Japanese/Hungarian Emails

Csillag Tamas cstamas at digitus.itk.ppke.hu
Wed Dec 29 17:49:46 GMT 2010 

Hi all,

I recently realized that we have a same problem with Hungarian
characters (sorry it was already top-posted and mangled message so one
need to read the quoted text below to recall all).

If the mail start with the char "é" then the mail is quarantined as a
DOS executable. (Maybe file is right its a 8bit high thing.)

According to this thread I replying to MIME checking aka. "file -i"
can be the solution.

I am using MailScanner version 4.81.4 and use the recommended line in
filetype.rules.conf:

allow   -       text/plain      -               -

and this line even matches, but it seems to me that normal "file"
(without i) checks has already taken place and blocked the attachment.

Here is the log:
Dec 29 18:15:59 host1 MailScanner[32316]: Using locktype = posix
Dec 29 18:15:59 host1 MailScanner[30901]: Filetype Checks: No executables (1PXzcx-0008PH-CY msg-30901-1.txt)
Dec 29 18:15:59 host1 MailScanner[30901]: Filetype Checks: Allowing 1PXzcx-0008PH-CY msg-30901-1.txt
Dec 29 18:15:59 host1 MailScanner[30901]: Other Checks: Found 1 problems
Dec 29 18:15:59 host1 MailScanner[30901]: Virus and Content Scanning: Starting
Dec 29 18:15:59 host1 MailScanner[32384]: Read 5278 hostnames from the phishing blacklists
Dec 29 18:15:59 host1 MailScanner[32384]: Config: calling custom init function RelayDB
Dec 29 18:15:59 host1 MailScanner[32384]: Starting: export blacklisted addresses
Dec 29 18:15:59 host1 MailScanner[30901]: Virus Scanning completed at 21232 bytes per second
Dec 29 18:15:59 host1 MailScanner[30901]: Saved entire message to /var/spool/MailScanner/quarantine/20101229/1PXzcx-0008PH-CY
Dec 29 18:16:00 host1 MailScanner[30901]: Saved infected "msg-30901-1.txt" to /var/spool/MailScanner/quarantine/20101229/1PXzcx-0008PH-CY
Dec 29 18:16:00 host1 MailScanner[30901]: Spam Checks: Starting
Dec 29 18:16:00 host1 MailScanner[30901]: Spam Checks completed at 3728 bytes per second
Dec 29 18:16:00 host1 MailScanner[30901]: Cleaned: Delivered 1 cleaned messages

Can you please help me out here, Jules?

Thanks in advance!

Regards,
  CSILLAG Tamas (cstamas)

On Thu, Jun 03, 2010 at 09:49:55AM +0100, Julian Field wrote:
> What did "file -i" on the msg*.txt file produce? If it's something nice  
> like text/plain then
> allow    -    text/plain    -    -
> should do the trick.
>
> On 03/06/2010 00:13, Peter Ong wrote:
>> Hmm... I thought this worked, but it is not.
>>
>> p
>> ----- Original Message -----
>>
>>    
>>> From: "Peter Ong"<peter.ong at hypermediasystems.com>
>>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
>>> Sent: Wednesday, June 2, 2010 3:50:31 PM
>>> Subject: Re: Filetype Checks: No executables on Japanese Emails
>>>
>>> I was going to add the -i too, but then I saw this:
>>>
>>> #
>>> # NOTE: Fields are separated by TAB characters --- Important!
>>> #
>>> # Syntax is allow/deny/deny+delete/email-addresses, then regular
>>> expression,
>>> #           then log text, then user report text.
>>> #
>>> # The "email-addresses" can be a space or comma-separated list of
>>> email
>>> # addresses. If the rule hits, the message will be sent to these
>>> address(es)
>>> # instead of the original recipients.
>>> #
>>> # If none of the rules match, then the filetype is allowed.
>>> #
>>> # An optional fifth field can also be added before the "log text",
>>> which
>>> # makes the checked text check against the MIME type of the attachment
>>> # as determined by the output of the "file -i" command.
>>>
>>>
>>> So, I just did this...
>>>
>>> allow   -       text    -       -
>>> #EXAMPLE: deny  -       x-dosexec       No DOS executables      No DOS
>>> programs allowed
>>> deny    -       x-dosexec       No DOS executables      No DOS
>>> programs allowed
>>>
>>>
>>> ----- Original Message -----
>>>
>>>      
>>>> From: "Alex Broens"<ms-list at alexb.ch>
>>>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
>>>> Sent: Wednesday, June 2, 2010 2:03:46 PM
>>>> Subject: Re: Filetype Checks: No executables on Japanese Emails
>>>>
>>>> On 2010-06-02 20:50, Peter Ong wrote:
>>>>        
>>>>> Actually, I just figured it out. I looked in the filetyperules
>>>>>          
>>> file
>>>      
>>>>> and the description gave me a clue of what to do. It worked.
>>>>>
>>>>> But yes, it's the first two bytes. I know only by man file. Hehehe
>>>>>          
>>>> My users get lots of these
>>>>
>>>> File Command = /usr/bin/file -i
>>>>
>>>> ( -i, --mime                 output mime type strings)
>>>>
>>>>
>>>> fixed it elegantly without touching the magic strings.
>>>> (thanks to a hint from the list archive)
>>>>
>>>> h2h
>>>>
>>>> Alex
>>>>
>>>>
>>>>        
>>>>> ----- Original Message -----
>>>>>
>>>>>          
>>>>>> From: "Alex Neuman"<alex at rtpty.com>  To: "MailScanner discussion"
>>>>>> <mailscanner at lists.mailscanner.info>  Sent: Wednesday, June 2,
>>>>>>            
>>> 2010
>>>      
>>>>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
>>>>>> Japanese Emails
>>>>>>
>>>>>> Can you tell which are the two bytes it thinks are indicators of
>>>>>>            
>>> a
>>>      
>>>>>> DOS COM file and fix the magic file?
>>>>>>
>>>>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
>>>>>>
>>>>>>            
>>>>>>> Hello Everyone,
>>>>>>>
>>>>>>> How does one configure MailScanner such that this does not
>>>>>>>              
>>> occur?
>>>      
>>>>>>>              
>>>>>> Allow me to explain. The output below is the product of
>>>>>> /usr/bin/file. I like this feature because it let's us discover
>>>>>>            
>>>> the
>>>>        
>>>>>> type of the file even if it is renamed to .txt. However, some
>>>>>> Japanese emails when they are written a certain way cause this:
>>>>>>            
>>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
>>>>>>> No
>>>>>>>              
>>>>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
>>>>>>            
>>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
>>>>>>> message
>>>>>>>              
>>>>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>>>>            
>>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
>>>>>>>              
>>>>>> "msg-27972-9.txt" to
>>>>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>>>>            
>>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
>>>>>>>              
>>>>>> CBD9757287.ACE77 to 75104572B2
>>>>>>            
>>>>>>> What happens is the file named message will be quarantined along
>>>>>>>              
>>>>>> with msg-27972-9.txt which is actually the same message. When I
>>>>>>            
>>>> run
>>>>        
>>>>>>   /usr/bin/file on "message" it tells me it's an email text
>>>>>>            
>>>> message.
>>>>        
>>>>>> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
>>>>>> file. The /usr/bin/file command decides the filetype by looking
>>>>>>            
>>> at
>>>      
>>>>>> the first 2 bytes of the file. To mitigate this, I have told
>>>>>>            
>>> users
>>>      
>>>>>> to type an empty line or two blank spaces before they begin their
>>>>>> japanese emails. However, this is not a graceful solution. Would
>>>>>> anyone have a better suggestion? Thank you.

-- 
CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas

I have never left my schooling interfere with my education.
                 -- Mark Twain

More information about the MailScanner mailing list