Filetype Checks: No executables on Japanese Emails
Peter Ong
peter.ong at hypermediasystems.com
Thu Jun 3 15:08:25 IST 2010
Here's what I did... (these are tab separated, btw)
allow - text - -
allow - text/x-mail - -
allow - text/plain - -
allow - message/rfc822 - -
Here's what the configuration shows:
[root at gateway005.inf MailScanner]# grep bin\/file MailScanner.conf
File Command = /usr/bin/file
Furthermore,
[root at gateway005.inf ~]# service MailScanner reload
Reloading MailScanner workers:
MailScanner: [ OK ]
Outgoing postfix: [ OK ]
But just to get really serious,
[root at gateway005.inf ~]# service MailScanner restart
Shutting down MailScanner daemons:
MailScanner: [ OK ]
incoming postfix: [ OK ]
outgoing postfix: [ OK ]
Waiting for MailScanner to die gracefully ....5....0....5....0 dead.
Starting MailScanner daemons:
incoming postfix: [ OK ]
outgoing postfix: [ OK ]
MailScanner:
[ OK ]
Let me show you the message I'm about to release:
[root at gateway005.inf 490DC57284.A9461]# file -i msg-596-5.txt
msg-596-5.txt: text/x-mail; charset=utf-8
So now I'm releasing it:
[root at gateway005.inf 490DC57284.A9461]# sendmail -t -i < message
After releasing it, I get this in the logs:
[root at gateway005.inf 55E5157282.A9520]# grep 55E5157282.A9520 /var/log/maillog
Jun 3 06:57:48 gateway005 MailScanner[15406]: Filetype Checks: No executables (55E5157282.A9520 msg-15406-4.txt)
Jun 3 06:57:48 gateway005 MailScanner[15406]: Saved entire message to /var/spool/MailScanner/quarantine/20100603/55E5157282.A9520
Jun 3 06:57:48 gateway005 MailScanner[15406]: Saved infected "msg-15406-4.txt" to /var/spool/MailScanner/quarantine/20100603/55E5157282.A9520
Jun 3 06:57:49 gateway005 MailScanner[15406]: Requeue: 55E5157282.A9520 to 964B157280
I go into the /var/spool/MailScanner/quarantine/20100603/55E5157282.A9520 and do this:
[root at gateway005.inf 55E5157282.A9520]# pwd
/var/spool/MailScanner/quarantine/20100603/55E5157282.A9520
[root at gateway005.inf 55E5157282.A9520]# file -i msg-15406-4.txt
msg-15406-4.txt: text/x-mail; charset=utf-8
That's the same message.
b1beb5fc88372863f249d91a717bb9ee msg-596-5.txt
b1beb5fc88372863f249d91a717bb9ee msg-15406-4.txt
It appears that they are getting caught by the line:
deny executable No executables No programs allowed
What do I do? I need your help. Thank you.
p
----- Original Message -----
> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, June 3, 2010 1:49:55 AM
> Subject: Re: Filetype Checks: No executables on Japanese Emails
>
> What did "file -i" on the msg*.txt file produce? If it's something
> nice
> like text/plain then
> allow - text/plain - -
> should do the trick.
>
> On 03/06/2010 00:13, Peter Ong wrote:
> > Hmm... I thought this worked, but it is not.
> >
> > p
> > ----- Original Message -----
> >
> >
> >> From: "Peter Ong"<peter.ong at hypermediasystems.com>
> >> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
> >> Sent: Wednesday, June 2, 2010 3:50:31 PM
> >> Subject: Re: Filetype Checks: No executables on Japanese Emails
> >>
> >> I was going to add the -i too, but then I saw this:
> >>
> >> #
> >> # NOTE: Fields are separated by TAB characters --- Important!
> >> #
> >> # Syntax is allow/deny/deny+delete/email-addresses, then regular
> >> expression,
> >> # then log text, then user report text.
> >> #
> >> # The "email-addresses" can be a space or comma-separated list of
> >> email
> >> # addresses. If the rule hits, the message will be sent to these
> >> address(es)
> >> # instead of the original recipients.
> >> #
> >> # If none of the rules match, then the filetype is allowed.
> >> #
> >> # An optional fifth field can also be added before the "log text",
> >> which
> >> # makes the checked text check against the MIME type of the
> attachment
> >> # as determined by the output of the "file -i" command.
> >>
> >>
> >> So, I just did this...
> >>
> >> allow - text - -
> >> #EXAMPLE: deny - x-dosexec No DOS executables No
> DOS
> >> programs allowed
> >> deny - x-dosexec No DOS executables No DOS
> >> programs allowed
> >>
> >>
> >> ----- Original Message -----
> >>
> >>
> >>> From: "Alex Broens"<ms-list at alexb.ch>
> >>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
> >>> Sent: Wednesday, June 2, 2010 2:03:46 PM
> >>> Subject: Re: Filetype Checks: No executables on Japanese Emails
> >>>
> >>> On 2010-06-02 20:50, Peter Ong wrote:
> >>>
> >>>> Actually, I just figured it out. I looked in the filetyperules
> >>>>
> >> file
> >>
> >>>> and the description gave me a clue of what to do. It worked.
> >>>>
> >>>> But yes, it's the first two bytes. I know only by man file.
> Hehehe
> >>>>
> >>> My users get lots of these
> >>>
> >>> File Command = /usr/bin/file -i
> >>>
> >>> ( -i, --mime output mime type strings)
> >>>
> >>>
> >>> fixed it elegantly without touching the magic strings.
> >>> (thanks to a hint from the list archive)
> >>>
> >>> h2h
> >>>
> >>> Alex
> >>>
> >>>
> >>>
> >>>> ----- Original Message -----
> >>>>
> >>>>
> >>>>> From: "Alex Neuman"<alex at rtpty.com> To: "MailScanner
> discussion"
> >>>>> <mailscanner at lists.mailscanner.info> Sent: Wednesday, June 2,
> >>>>>
> >> 2010
> >>
> >>>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
> >>>>> Japanese Emails
> >>>>>
> >>>>> Can you tell which are the two bytes it thinks are indicators
> of
> >>>>>
> >> a
> >>
> >>>>> DOS COM file and fix the magic file?
> >>>>>
> >>>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
> >>>>>
> >>>>>
> >>>>>> Hello Everyone,
> >>>>>>
> >>>>>> How does one configure MailScanner such that this does not
> >>>>>>
> >> occur?
> >>
> >>>>>>
> >>>>> Allow me to explain. The output below is the product of
> >>>>> /usr/bin/file. I like this feature because it let's us discover
> >>>>>
> >>> the
> >>>
> >>>>> type of the file even if it is renamed to .txt. However, some
> >>>>> Japanese emails when they are written a certain way cause this:
> >>>>>
> >>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Filetype
> Checks:
> >>>>>> No
> >>>>>>
> >>>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
> >>>>>
> >>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Saved entire
> >>>>>> message
> >>>>>>
> >>>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>>>>
> >>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Saved infected
> >>>>>>
> >>>>> "msg-27972-9.txt" to
> >>>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>>>>
> >>>>>> Jun 2 11:08:29 gateway005 MailScanner[27972]: Requeue:
> >>>>>>
> >>>>> CBD9757287.ACE77 to 75104572B2
> >>>>>
> >>>>>> What happens is the file named message will be quarantined
> along
> >>>>>>
> >>>>> with msg-27972-9.txt which is actually the same message. When I
> >>>>>
> >>> run
> >>>
> >>>>> /usr/bin/file on "message" it tells me it's an email text
> >>>>>
> >>> message.
> >>>
> >>>>> But when I run it on msg-27972-9.txt it tells me it is a DOS
> COM
> >>>>> file. The /usr/bin/file command decides the filetype by looking
> >>>>>
> >> at
> >>
> >>>>> the first 2 bytes of the file. To mitigate this, I have told
> >>>>>
> >> users
> >>
> >>>>> to type an empty line or two blank spaces before they begin
> their
> >>>>> japanese emails. However, this is not a graceful solution.
> Would
> >>>>> anyone have a better suggestion? Thank you.
> >>>>>
> >>>>>> p -- MailScanner mailing list
> mailscanner at lists.mailscanner.info
> >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>>
> >>>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>>
> >>>>>> Support MailScanner development - buy the book off the
> website!
> >>>>>>
> >>>>> -- MailScanner mailing list mailscanner at lists.mailscanner.info
> >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>
> >>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>
> >>>>> Support MailScanner development - buy the book off the website!
> >>>>>
> >>> --
> >>> MailScanner mailing list
> >>> mailscanner at lists.mailscanner.info
> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>
> >>> Before posting, read http://wiki.mailscanner.info/posting
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>>
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your
> boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list