Filetype Checks: No executables on Japanese Emails

Peter Ong peter.ong at hypermediasystems.com
Thu Jun 3 00:13:38 IST 2010 

Hmm... I thought this worked, but it is not. 

p
----- Original Message -----

> From: "Peter Ong" <peter.ong at hypermediasystems.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Wednesday, June 2, 2010 3:50:31 PM
> Subject: Re: Filetype Checks: No executables on Japanese Emails
> 
> I was going to add the -i too, but then I saw this:
> 
> #
> # NOTE: Fields are separated by TAB characters --- Important!
> #
> # Syntax is allow/deny/deny+delete/email-addresses, then regular
> expression,
> #           then log text, then user report text.
> #
> # The "email-addresses" can be a space or comma-separated list of
> email
> # addresses. If the rule hits, the message will be sent to these
> address(es)
> # instead of the original recipients.
> #
> # If none of the rules match, then the filetype is allowed.
> #
> # An optional fifth field can also be added before the "log text",
> which
> # makes the checked text check against the MIME type of the attachment
> # as determined by the output of the "file -i" command.
> 
> 
> So, I just did this...
> 
> allow   -       text    -       -
> #EXAMPLE: deny  -       x-dosexec       No DOS executables      No DOS
> programs allowed
> deny    -       x-dosexec       No DOS executables      No DOS
> programs allowed
> 
> 
> ----- Original Message -----
> 
> > From: "Alex Broens" <ms-list at alexb.ch>
> > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> > Sent: Wednesday, June 2, 2010 2:03:46 PM
> > Subject: Re: Filetype Checks: No executables on Japanese Emails
> >
> > On 2010-06-02 20:50, Peter Ong wrote:
> > > Actually, I just figured it out. I looked in the filetyperules
> file
> > > and the description gave me a clue of what to do. It worked.
> > >
> > > But yes, it's the first two bytes. I know only by man file. Hehehe
> >
> > My users get lots of these
> >
> > File Command = /usr/bin/file -i
> >
> > ( -i, --mime                 output mime type strings)
> >
> >
> > fixed it elegantly without touching the magic strings.
> > (thanks to a hint from the list archive)
> >
> > h2h
> >
> > Alex
> >
> >
> > > ----- Original Message -----
> > >
> > >> From: "Alex Neuman" <alex at rtpty.com> To: "MailScanner discussion"
> > >> <mailscanner at lists.mailscanner.info> Sent: Wednesday, June 2,
> 2010
> > >> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
> > >> Japanese Emails
> > >>
> > >> Can you tell which are the two bytes it thinks are indicators of
> a
> > >> DOS COM file and fix the magic file?
> > >>
> > >> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
> > >>
> > >>> Hello Everyone,
> > >>>
> > >>> How does one configure MailScanner such that this does not
> occur?
> > >>>
> > >> Allow me to explain. The output below is the product of
> > >> /usr/bin/file. I like this feature because it let's us discover
> > the
> > >> type of the file even if it is renamed to .txt. However, some
> > >> Japanese emails when they are written a certain way cause this:
> > >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
> > >>> No
> > >> executables (CBD9757287.ACE77 msg-27972-9.txt)
> > >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
> > >>> message
> > >> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> > >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
> > >> "msg-27972-9.txt" to
> > >> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> > >>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
> > >> CBD9757287.ACE77 to 75104572B2
> > >>> What happens is the file named message will be quarantined along
> > >> with msg-27972-9.txt which is actually the same message. When I
> > run
> > >>  /usr/bin/file on "message" it tells me it's an email text
> > message.
> > >> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
> > >> file. The /usr/bin/file command decides the filetype by looking
> at
> > >> the first 2 bytes of the file. To mitigate this, I have told
> users
> > >> to type an empty line or two blank spaces before they begin their
> > >> japanese emails. However, this is not a graceful solution. Would
> > >> anyone have a better suggestion? Thank you.
> > >>> p -- MailScanner mailing list mailscanner at lists.mailscanner.info
> > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >>>
> > >>> Before posting, read http://wiki.mailscanner.info/posting
> > >>>
> > >>> Support MailScanner development - buy the book off the website!
> > >> -- MailScanner mailing list mailscanner at lists.mailscanner.info
> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >>
> > >> Before posting, read http://wiki.mailscanner.info/posting
> > >>
> > >> Support MailScanner development - buy the book off the website!
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list