Filetype Checks: No executables on Japanese Emails

Peter Ong peter.ong at hypermediasystems.com
Wed Jun 2 23:50:31 IST 2010 

I was going to add the -i too, but then I saw this:

#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
#           then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.
#
# If none of the rules match, then the filetype is allowed.
#
# An optional fifth field can also be added before the "log text", which
# makes the checked text check against the MIME type of the attachment
# as determined by the output of the "file -i" command.


So, I just did this...

allow   -       text    -       -
#EXAMPLE: deny  -       x-dosexec       No DOS executables      No DOS programs allowed
deny    -       x-dosexec       No DOS executables      No DOS programs allowed


----- Original Message -----

> From: "Alex Broens" <ms-list at alexb.ch>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Wednesday, June 2, 2010 2:03:46 PM
> Subject: Re: Filetype Checks: No executables on Japanese Emails
> 
> On 2010-06-02 20:50, Peter Ong wrote:
> > Actually, I just figured it out. I looked in the filetyperules file
> > and the description gave me a clue of what to do. It worked.
> > 
> > But yes, it's the first two bytes. I know only by man file. Hehehe
> 
> My users get lots of these
> 
> File Command = /usr/bin/file -i
> 
> ( -i, --mime                 output mime type strings)
> 
> 
> fixed it elegantly without touching the magic strings.
> (thanks to a hint from the list archive)
> 
> h2h
> 
> Alex
> 
> 
> > ----- Original Message -----
> > 
> >> From: "Alex Neuman" <alex at rtpty.com> To: "MailScanner discussion"
> >> <mailscanner at lists.mailscanner.info> Sent: Wednesday, June 2, 2010
> >> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
> >> Japanese Emails
> >> 
> >> Can you tell which are the two bytes it thinks are indicators of a
> >> DOS COM file and fix the magic file?
> >> 
> >> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
> >> 
> >>> Hello Everyone,
> >>> 
> >>> How does one configure MailScanner such that this does not occur?
> >>> 
> >> Allow me to explain. The output below is the product of
> >> /usr/bin/file. I like this feature because it let's us discover
> the
> >> type of the file even if it is renamed to .txt. However, some
> >> Japanese emails when they are written a certain way cause this:
> >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
> >>> No
> >> executables (CBD9757287.ACE77 msg-27972-9.txt)
> >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
> >>> message
> >> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
> >> "msg-27972-9.txt" to 
> >> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
> >> CBD9757287.ACE77 to 75104572B2
> >>> What happens is the file named message will be quarantined along
> >> with msg-27972-9.txt which is actually the same message. When I
> run
> >>  /usr/bin/file on "message" it tells me it's an email text
> message.
> >> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
> >> file. The /usr/bin/file command decides the filetype by looking at
> >> the first 2 bytes of the file. To mitigate this, I have told users
> >> to type an empty line or two blank spaces before they begin their
> >> japanese emails. However, this is not a graceful solution. Would
> >> anyone have a better suggestion? Thank you.
> >>> p -- MailScanner mailing list mailscanner at lists.mailscanner.info 
> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>> 
> >>> Before posting, read http://wiki.mailscanner.info/posting
> >>> 
> >>> Support MailScanner development - buy the book off the website!
> >> -- MailScanner mailing list mailscanner at lists.mailscanner.info 
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >> 
> >> Before posting, read http://wiki.mailscanner.info/posting
> >> 
> >> Support MailScanner development - buy the book off the website!
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list