Filetype Checks: No executables on Japanese Emails

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jun 3 09:49:55 IST 2010


What did "file -i" on the msg*.txt file produce? If it's something nice 
like text/plain then
allow    -    text/plain    -    -
should do the trick.

On 03/06/2010 00:13, Peter Ong wrote:
> Hmm... I thought this worked, but it is not.
>
> p
> ----- Original Message -----
>
>    
>> From: "Peter Ong"<peter.ong at hypermediasystems.com>
>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
>> Sent: Wednesday, June 2, 2010 3:50:31 PM
>> Subject: Re: Filetype Checks: No executables on Japanese Emails
>>
>> I was going to add the -i too, but then I saw this:
>>
>> #
>> # NOTE: Fields are separated by TAB characters --- Important!
>> #
>> # Syntax is allow/deny/deny+delete/email-addresses, then regular
>> expression,
>> #           then log text, then user report text.
>> #
>> # The "email-addresses" can be a space or comma-separated list of
>> email
>> # addresses. If the rule hits, the message will be sent to these
>> address(es)
>> # instead of the original recipients.
>> #
>> # If none of the rules match, then the filetype is allowed.
>> #
>> # An optional fifth field can also be added before the "log text",
>> which
>> # makes the checked text check against the MIME type of the attachment
>> # as determined by the output of the "file -i" command.
>>
>>
>> So, I just did this...
>>
>> allow   -       text    -       -
>> #EXAMPLE: deny  -       x-dosexec       No DOS executables      No DOS
>> programs allowed
>> deny    -       x-dosexec       No DOS executables      No DOS
>> programs allowed
>>
>>
>> ----- Original Message -----
>>
>>      
>>> From: "Alex Broens"<ms-list at alexb.ch>
>>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
>>> Sent: Wednesday, June 2, 2010 2:03:46 PM
>>> Subject: Re: Filetype Checks: No executables on Japanese Emails
>>>
>>> On 2010-06-02 20:50, Peter Ong wrote:
>>>        
>>>> Actually, I just figured it out. I looked in the filetyperules
>>>>          
>> file
>>      
>>>> and the description gave me a clue of what to do. It worked.
>>>>
>>>> But yes, it's the first two bytes. I know only by man file. Hehehe
>>>>          
>>> My users get lots of these
>>>
>>> File Command = /usr/bin/file -i
>>>
>>> ( -i, --mime                 output mime type strings)
>>>
>>>
>>> fixed it elegantly without touching the magic strings.
>>> (thanks to a hint from the list archive)
>>>
>>> h2h
>>>
>>> Alex
>>>
>>>
>>>        
>>>> ----- Original Message -----
>>>>
>>>>          
>>>>> From: "Alex Neuman"<alex at rtpty.com>  To: "MailScanner discussion"
>>>>> <mailscanner at lists.mailscanner.info>  Sent: Wednesday, June 2,
>>>>>            
>> 2010
>>      
>>>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
>>>>> Japanese Emails
>>>>>
>>>>> Can you tell which are the two bytes it thinks are indicators of
>>>>>            
>> a
>>      
>>>>> DOS COM file and fix the magic file?
>>>>>
>>>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
>>>>>
>>>>>            
>>>>>> Hello Everyone,
>>>>>>
>>>>>> How does one configure MailScanner such that this does not
>>>>>>              
>> occur?
>>      
>>>>>>              
>>>>> Allow me to explain. The output below is the product of
>>>>> /usr/bin/file. I like this feature because it let's us discover
>>>>>            
>>> the
>>>        
>>>>> type of the file even if it is renamed to .txt. However, some
>>>>> Japanese emails when they are written a certain way cause this:
>>>>>            
>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype Checks:
>>>>>> No
>>>>>>              
>>>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
>>>>>            
>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
>>>>>> message
>>>>>>              
>>>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>>>            
>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
>>>>>>              
>>>>> "msg-27972-9.txt" to
>>>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
>>>>>            
>>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
>>>>>>              
>>>>> CBD9757287.ACE77 to 75104572B2
>>>>>            
>>>>>> What happens is the file named message will be quarantined along
>>>>>>              
>>>>> with msg-27972-9.txt which is actually the same message. When I
>>>>>            
>>> run
>>>        
>>>>>   /usr/bin/file on "message" it tells me it's an email text
>>>>>            
>>> message.
>>>        
>>>>> But when I run it on msg-27972-9.txt it tells me it is a DOS COM
>>>>> file. The /usr/bin/file command decides the filetype by looking
>>>>>            
>> at
>>      
>>>>> the first 2 bytes of the file. To mitigate this, I have told
>>>>>            
>> users
>>      
>>>>> to type an empty line or two blank spaces before they begin their
>>>>> japanese emails. However, this is not a graceful solution. Would
>>>>> anyone have a better suggestion? Thank you.
>>>>>            
>>>>>> p -- MailScanner mailing list mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>              
>>>>> -- MailScanner mailing list mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>            
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>        

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list