Filetype Checks: No executables on Japanese Emails

Peter Ong peter.ong at hypermediasystems.com
Thu Jun 3 14:38:59 IST 2010


Hi Julian,

Thanks for the reply. I believe my mistake was to escape the "/". I did "allow - text\/plain". I never know when I'm supposed to use regex and when not to, and when it's the kind that requires escapes. Maybe this should be included in the descriptions above.

p

----- Original Message -----

> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, June 3, 2010 1:49:55 AM
> Subject: Re: Filetype Checks: No executables on Japanese Emails
> 
> What did "file -i" on the msg*.txt file produce? If it's something
> nice 
> like text/plain then
> allow    -    text/plain    -    -
> should do the trick.
> 
> On 03/06/2010 00:13, Peter Ong wrote:
> > Hmm... I thought this worked, but it is not.
> >
> > p
> > ----- Original Message -----
> >
> >    
> >> From: "Peter Ong"<peter.ong at hypermediasystems.com>
> >> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
> >> Sent: Wednesday, June 2, 2010 3:50:31 PM
> >> Subject: Re: Filetype Checks: No executables on Japanese Emails
> >>
> >> I was going to add the -i too, but then I saw this:
> >>
> >> #
> >> # NOTE: Fields are separated by TAB characters --- Important!
> >> #
> >> # Syntax is allow/deny/deny+delete/email-addresses, then regular
> >> expression,
> >> #           then log text, then user report text.
> >> #
> >> # The "email-addresses" can be a space or comma-separated list of
> >> email
> >> # addresses. If the rule hits, the message will be sent to these
> >> address(es)
> >> # instead of the original recipients.
> >> #
> >> # If none of the rules match, then the filetype is allowed.
> >> #
> >> # An optional fifth field can also be added before the "log text",
> >> which
> >> # makes the checked text check against the MIME type of the
> attachment
> >> # as determined by the output of the "file -i" command.
> >>
> >>
> >> So, I just did this...
> >>
> >> allow   -       text    -       -
> >> #EXAMPLE: deny  -       x-dosexec       No DOS executables      No
> DOS
> >> programs allowed
> >> deny    -       x-dosexec       No DOS executables      No DOS
> >> programs allowed
> >>
> >>
> >> ----- Original Message -----
> >>
> >>      
> >>> From: "Alex Broens"<ms-list at alexb.ch>
> >>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
> >>> Sent: Wednesday, June 2, 2010 2:03:46 PM
> >>> Subject: Re: Filetype Checks: No executables on Japanese Emails
> >>>
> >>> On 2010-06-02 20:50, Peter Ong wrote:
> >>>        
> >>>> Actually, I just figured it out. I looked in the filetyperules
> >>>>          
> >> file
> >>      
> >>>> and the description gave me a clue of what to do. It worked.
> >>>>
> >>>> But yes, it's the first two bytes. I know only by man file.
> Hehehe
> >>>>          
> >>> My users get lots of these
> >>>
> >>> File Command = /usr/bin/file -i
> >>>
> >>> ( -i, --mime                 output mime type strings)
> >>>
> >>>
> >>> fixed it elegantly without touching the magic strings.
> >>> (thanks to a hint from the list archive)
> >>>
> >>> h2h
> >>>
> >>> Alex
> >>>
> >>>
> >>>        
> >>>> ----- Original Message -----
> >>>>
> >>>>          
> >>>>> From: "Alex Neuman"<alex at rtpty.com>  To: "MailScanner
> discussion"
> >>>>> <mailscanner at lists.mailscanner.info>  Sent: Wednesday, June 2,
> >>>>>            
> >> 2010
> >>      
> >>>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
> >>>>> Japanese Emails
> >>>>>
> >>>>> Can you tell which are the two bytes it thinks are indicators
> of
> >>>>>            
> >> a
> >>      
> >>>>> DOS COM file and fix the magic file?
> >>>>>
> >>>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
> >>>>>
> >>>>>            
> >>>>>> Hello Everyone,
> >>>>>>
> >>>>>> How does one configure MailScanner such that this does not
> >>>>>>              
> >> occur?
> >>      
> >>>>>>              
> >>>>> Allow me to explain. The output below is the product of
> >>>>> /usr/bin/file. I like this feature because it let's us discover
> >>>>>            
> >>> the
> >>>        
> >>>>> type of the file even if it is renamed to .txt. However, some
> >>>>> Japanese emails when they are written a certain way cause this:
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype
> Checks:
> >>>>>> No
> >>>>>>              
> >>>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
> >>>>>> message
> >>>>>>              
> >>>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
> >>>>>>              
> >>>>> "msg-27972-9.txt" to
> >>>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
> >>>>>>              
> >>>>> CBD9757287.ACE77 to 75104572B2
> >>>>>            
> >>>>>> What happens is the file named message will be quarantined
> along
> >>>>>>              
> >>>>> with msg-27972-9.txt which is actually the same message. When I
> >>>>>            
> >>> run
> >>>        
> >>>>>   /usr/bin/file on "message" it tells me it's an email text
> >>>>>            
> >>> message.
> >>>        
> >>>>> But when I run it on msg-27972-9.txt it tells me it is a DOS
> COM
> >>>>> file. The /usr/bin/file command decides the filetype by looking
> >>>>>            
> >> at
> >>      
> >>>>> the first 2 bytes of the file. To mitigate this, I have told
> >>>>>            
> >> users
> >>      
> >>>>> to type an empty line or two blank spaces before they begin
> their
> >>>>> japanese emails. However, this is not a graceful solution.
> Would
> >>>>> anyone have a better suggestion? Thank you.
> >>>>>            
> >>>>>> p -- MailScanner mailing list
> mailscanner at lists.mailscanner.info
> >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>>
> >>>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>>
> >>>>>> Support MailScanner development - buy the book off the
> website!
> >>>>>>              
> >>>>> -- MailScanner mailing list mailscanner at lists.mailscanner.info
> >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>
> >>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>
> >>>>> Support MailScanner development - buy the book off the website!
> >>>>>            
> >>> --
> >>> MailScanner mailing list
> >>> mailscanner at lists.mailscanner.info
> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>
> >>> Before posting, read http://wiki.mailscanner.info/posting
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>>        
> 
> Jules
> 
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your
> boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list