Filetype Checks: No executables on Japanese Emails
Peter Ong
peter.ong at hypermediasystems.com
Wed Jun 2 23:50:31 IST 2010
I was going to add the -i too, but then I saw this:
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
# then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.
#
# If none of the rules match, then the filetype is allowed.
#
# An optional fifth field can also be added before the "log text", which
# makes the checked text check against the MIME type of the attachment
# as determined by the output of the "file -i" command.
So, I just did this...
allow - text - -
#EXAMPLE: deny - x-dosexec No DOS executables No DOS programs allowed
deny - x-dosexec No DOS executables No DOS programs allowed
----- Original Message -----
> From: "Alex Broens" <ms-list at alexb.ch>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Wednesday, June 2, 2010 2:03:46 PM
> Subject: Re: Filetype Checks: No executables on Japanese Emails
>
> On 2010-06-02 20:50, Peter Ong wrote:
> > Actually, I just figured it out. I looked in the filetyperules file
> > and the description gave me a clue of what to do. It worked.
> >
> > But yes, it's the first two bytes. I know only by man file. Hehehe
>
> My users get lots of these
>
> File Command = /usr/bin/file -i
>
> ( -i, --mime output mime type strings)
>
>
> fixed it elegantly without touching the magic strings.
> (thanks to a hint from the list archive)
>
> h2h
>
> Alex
>
>
> > ----- Original Message -----
> >
> >> From: "Alex Neuman" <alex at rtpty.com> To: "MailScanner discussion"
> >> <mailscanner at lists.mailscanner.info> Sent: Wednesday, June 2, 2010
> >> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
> >> Japanese Emails
> >>
> >> Can you tell which are the two bytes it thinks are indicators of a
> >> DOS COM file and fix the magic file?
> >>
> >> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
> >>
> >>> Hello Everyone,
> >>>
> >>> How does one configure MailScanner such that this does not occur?
> >>>
> >> Allow me to explain. The output below is the product of
> >> /usr/bin/file. I like this feature because it let's us discover
> the
> >> type of the file even if it is renamed to .txt. However, some
> >> Japanese emails when they are written a certain way cause this:
> >>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
> >>> No
> >> executables (CBD9757287.ACE77 msg-27972-9.txt)
> >>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Saved entire
> >>> message
> >> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Saved infected
> >> "msg-27972-9.txt" to
> >> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Requeue:
> >> CBD9757287.ACE77 to 75104572B2
> >>> What happens is the file named message will be quarantined along
> >> with msg-27972-9.txt which is actually the same message. When I
> run
> >> /usr/bin/file on "message" it tells me it's an email text
> message.
> >> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
> >> file. The /usr/bin/file command decides the filetype by looking at
> >> the first 2 bytes of the file. To mitigate this, I have told users
> >> to type an empty line or two blank spaces before they begin their
> >> japanese emails. However, this is not a graceful solution. Would
> >> anyone have a better suggestion? Thank you.
> >>> p -- MailScanner mailing list mailscanner at lists.mailscanner.info
> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>
> >>> Before posting, read http://wiki.mailscanner.info/posting
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >> -- MailScanner mailing list mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list