Filetype Checks: No executables on Japanese Emails

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jun 3 09:49:11 IST 2010



On 02/06/2010 22:03, Alex Broens wrote:
> On 2010-06-02 20:50, Peter Ong wrote:
>> Actually, I just figured it out. I looked in the filetyperules file
>> and the description gave me a clue of what to do. It worked.
>>
>> But yes, it's the first two bytes. I know only by man file. Hehehe
>
> My users get lots of these
>
> File Command = /usr/bin/file -i
>
> ( -i, --mime                 output mime type strings)
>
>
> fixed it elegantly without touching the magic strings.
> (thanks to a hint from the list archive)
Please don't do that :-(

There is already support in filetype.rules.conf for handling the output 
of "file -i" and checking it against MIME types in the rules, please 
just read the comments at the start of that file and it will explain it 
to you.

Jules.

>
>> ----- Original Message -----
>>
>>> From: "Alex Neuman" <alex at rtpty.com> To: "MailScanner discussion"
>>> <mailscanner at lists.mailscanner.info> Sent: Wednesday, June 2, 2010
>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
>>> Japanese Emails
>>>
>>> Can you tell which are the two bytes it thinks are indicators of a
>>> DOS COM file and fix the magic file?
>>>
>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
>>>
>>>> Hello Everyone,
>>>>
>>>> How does one configure MailScanner such that this does not occur?
>>>>
>>> Allow me to explain. The output below is the product of
>>> /usr/bin/file. I like this feature because it let's us discover the
>>> type of the file even if it is renamed to .txt. However, some
>>> Japanese emails when they are written a certain way cause this:
>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
>>>> No
>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
>>>> message
>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
>>> "msg-27972-9.txt" to 
>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
>>> CBD9757287.ACE77 to 75104572B2
>>>> What happens is the file named message will be quarantined along
>>> with msg-27972-9.txt which is actually the same message. When I run
>>>  /usr/bin/file on "message" it tells me it's an email text message.
>>> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
>>> file. The /usr/bin/file command decides the filetype by looking at
>>> the first 2 bytes of the file. To mitigate this, I have told users
>>> to type an empty line or two blank spaces before they begin their
>>> japanese emails. However, this is not a graceful solution. Would
>>> anyone have a better suggestion? Thank you.
>>>> p -- MailScanner mailing list mailscanner at lists.mailscanner.info 
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>> -- MailScanner mailing list mailscanner at lists.mailscanner.info 
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list