Filetype Checks: No executables on Japanese Emails

Peter Ong peter.ong at hypermediasystems.com
Thu Jun 3 15:08:25 IST 2010


Here's what I did... (these are tab separated, btw)

allow   -       text    -       -
allow   -       text/x-mail     -       -
allow   -       text/plain      -       -
allow   -       message/rfc822  -       -

Here's what the configuration shows:
[root at gateway005.inf MailScanner]# grep bin\/file MailScanner.conf
File Command = /usr/bin/file

Furthermore,

[root at gateway005.inf ~]# service MailScanner reload
Reloading MailScanner workers:
         MailScanner:                                      [  OK  ]
    Outgoing postfix:                                      [  OK  ]

But just to get really serious,

[root at gateway005.inf ~]# service MailScanner restart
Shutting down MailScanner daemons:
         MailScanner:                                      [  OK  ]
         incoming postfix:                                 [  OK  ]
         outgoing postfix:                                 [  OK  ]
Waiting for MailScanner to die gracefully ....5....0....5....0 dead.
Starting MailScanner daemons:
         incoming postfix:                                 [  OK  ]
         outgoing postfix:                                 [  OK  ]
         MailScanner:

                                                           [  OK  ]

Let me show you the message I'm about to release:
[root at gateway005.inf 490DC57284.A9461]# file -i msg-596-5.txt
msg-596-5.txt: text/x-mail; charset=utf-8

So now I'm releasing it:
[root at gateway005.inf 490DC57284.A9461]# sendmail -t -i < message

After releasing it, I get this in the logs:
[root at gateway005.inf 55E5157282.A9520]# grep 55E5157282.A9520 /var/log/maillog
Jun  3 06:57:48 gateway005 MailScanner[15406]: Filetype Checks: No executables (55E5157282.A9520 msg-15406-4.txt)
Jun  3 06:57:48 gateway005 MailScanner[15406]: Saved entire message to /var/spool/MailScanner/quarantine/20100603/55E5157282.A9520
Jun  3 06:57:48 gateway005 MailScanner[15406]: Saved infected "msg-15406-4.txt" to /var/spool/MailScanner/quarantine/20100603/55E5157282.A9520
Jun  3 06:57:49 gateway005 MailScanner[15406]: Requeue: 55E5157282.A9520 to 964B157280

I go into the /var/spool/MailScanner/quarantine/20100603/55E5157282.A9520 and do this:
[root at gateway005.inf 55E5157282.A9520]# pwd
/var/spool/MailScanner/quarantine/20100603/55E5157282.A9520
[root at gateway005.inf 55E5157282.A9520]# file -i msg-15406-4.txt
msg-15406-4.txt: text/x-mail; charset=utf-8

That's the same message.
b1beb5fc88372863f249d91a717bb9ee  msg-596-5.txt
b1beb5fc88372863f249d91a717bb9ee  msg-15406-4.txt

It appears that they are getting caught by the line:
deny    executable      No executables          No programs allowed

What do I do? I need your help. Thank you.

p



----- Original Message -----

> From: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Thursday, June 3, 2010 1:49:55 AM
> Subject: Re: Filetype Checks: No executables on Japanese Emails
> 
> What did "file -i" on the msg*.txt file produce? If it's something
> nice 
> like text/plain then
> allow    -    text/plain    -    -
> should do the trick.
> 
> On 03/06/2010 00:13, Peter Ong wrote:
> > Hmm... I thought this worked, but it is not.
> >
> > p
> > ----- Original Message -----
> >
> >    
> >> From: "Peter Ong"<peter.ong at hypermediasystems.com>
> >> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
> >> Sent: Wednesday, June 2, 2010 3:50:31 PM
> >> Subject: Re: Filetype Checks: No executables on Japanese Emails
> >>
> >> I was going to add the -i too, but then I saw this:
> >>
> >> #
> >> # NOTE: Fields are separated by TAB characters --- Important!
> >> #
> >> # Syntax is allow/deny/deny+delete/email-addresses, then regular
> >> expression,
> >> #           then log text, then user report text.
> >> #
> >> # The "email-addresses" can be a space or comma-separated list of
> >> email
> >> # addresses. If the rule hits, the message will be sent to these
> >> address(es)
> >> # instead of the original recipients.
> >> #
> >> # If none of the rules match, then the filetype is allowed.
> >> #
> >> # An optional fifth field can also be added before the "log text",
> >> which
> >> # makes the checked text check against the MIME type of the
> attachment
> >> # as determined by the output of the "file -i" command.
> >>
> >>
> >> So, I just did this...
> >>
> >> allow   -       text    -       -
> >> #EXAMPLE: deny  -       x-dosexec       No DOS executables      No
> DOS
> >> programs allowed
> >> deny    -       x-dosexec       No DOS executables      No DOS
> >> programs allowed
> >>
> >>
> >> ----- Original Message -----
> >>
> >>      
> >>> From: "Alex Broens"<ms-list at alexb.ch>
> >>> To: "MailScanner discussion"<mailscanner at lists.mailscanner.info>
> >>> Sent: Wednesday, June 2, 2010 2:03:46 PM
> >>> Subject: Re: Filetype Checks: No executables on Japanese Emails
> >>>
> >>> On 2010-06-02 20:50, Peter Ong wrote:
> >>>        
> >>>> Actually, I just figured it out. I looked in the filetyperules
> >>>>          
> >> file
> >>      
> >>>> and the description gave me a clue of what to do. It worked.
> >>>>
> >>>> But yes, it's the first two bytes. I know only by man file.
> Hehehe
> >>>>          
> >>> My users get lots of these
> >>>
> >>> File Command = /usr/bin/file -i
> >>>
> >>> ( -i, --mime                 output mime type strings)
> >>>
> >>>
> >>> fixed it elegantly without touching the magic strings.
> >>> (thanks to a hint from the list archive)
> >>>
> >>> h2h
> >>>
> >>> Alex
> >>>
> >>>
> >>>        
> >>>> ----- Original Message -----
> >>>>
> >>>>          
> >>>>> From: "Alex Neuman"<alex at rtpty.com>  To: "MailScanner
> discussion"
> >>>>> <mailscanner at lists.mailscanner.info>  Sent: Wednesday, June 2,
> >>>>>            
> >> 2010
> >>      
> >>>>> 11:42:41 AM Subject: Re: Filetype Checks: No executables on
> >>>>> Japanese Emails
> >>>>>
> >>>>> Can you tell which are the two bytes it thinks are indicators
> of
> >>>>>            
> >> a
> >>      
> >>>>> DOS COM file and fix the magic file?
> >>>>>
> >>>>> On Jun 2, 2010, at 1:31 PM, Peter Ong wrote:
> >>>>>
> >>>>>            
> >>>>>> Hello Everyone,
> >>>>>>
> >>>>>> How does one configure MailScanner such that this does not
> >>>>>>              
> >> occur?
> >>      
> >>>>>>              
> >>>>> Allow me to explain. The output below is the product of
> >>>>> /usr/bin/file. I like this feature because it let's us discover
> >>>>>            
> >>> the
> >>>        
> >>>>> type of the file even if it is renamed to .txt. However, some
> >>>>> Japanese emails when they are written a certain way cause this:
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Filetype
> Checks:
> >>>>>> No
> >>>>>>              
> >>>>> executables (CBD9757287.ACE77 msg-27972-9.txt)
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved entire
> >>>>>> message
> >>>>>>              
> >>>>> to /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Saved infected
> >>>>>>              
> >>>>> "msg-27972-9.txt" to
> >>>>> /var/spool/MailScanner/quarantine/20100602/CBD9757287.ACE77
> >>>>>            
> >>>>>> Jun  2 11:08:29 gateway005 MailScanner[27972]: Requeue:
> >>>>>>              
> >>>>> CBD9757287.ACE77 to 75104572B2
> >>>>>            
> >>>>>> What happens is the file named message will be quarantined
> along
> >>>>>>              
> >>>>> with msg-27972-9.txt which is actually the same message. When I
> >>>>>            
> >>> run
> >>>        
> >>>>>   /usr/bin/file on "message" it tells me it's an email text
> >>>>>            
> >>> message.
> >>>        
> >>>>> But when I run it on msg-27972-9.txt it tells me it is a DOS
> COM
> >>>>> file. The /usr/bin/file command decides the filetype by looking
> >>>>>            
> >> at
> >>      
> >>>>> the first 2 bytes of the file. To mitigate this, I have told
> >>>>>            
> >> users
> >>      
> >>>>> to type an empty line or two blank spaces before they begin
> their
> >>>>> japanese emails. However, this is not a graceful solution.
> Would
> >>>>> anyone have a better suggestion? Thank you.
> >>>>>            
> >>>>>> p -- MailScanner mailing list
> mailscanner at lists.mailscanner.info
> >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>>
> >>>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>>
> >>>>>> Support MailScanner development - buy the book off the
> website!
> >>>>>>              
> >>>>> -- MailScanner mailing list mailscanner at lists.mailscanner.info
> >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>
> >>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>
> >>>>> Support MailScanner development - buy the book off the website!
> >>>>>            
> >>> --
> >>> MailScanner mailing list
> >>> mailscanner at lists.mailscanner.info
> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>
> >>> Before posting, read http://wiki.mailscanner.info/posting
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>>        
> 
> Jules
> 
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your
> boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list