Filetype Checks: No executables on Greek Emails

Glenn Steen glenn.steen at gmail.com
Fri Apr 5 09:54:22 IST 2013 

I'm guessing that you have

ClamAV Full Message Scan = yes
set in MailScanner.conf ... This will make MailScanner "unpack" the body of
the email as a file in the directory presented to ClamAV for scanning
(other AVs don't seem to need this "help"). The goal is to catch malware
that isn't "properly" encoded, but rather just dumped in the message body.
For non-english locales, especially greek and russian locales, this can be
... less than fortunate, since the "body file" will be present when the
file command is run on the directory, and the file command has some very
naive one byte magic detection "strings" that will interprete common greek
(or russion KOI-8) characters as being the start of an MS-DOS executable
(COM-files et al).
When the message is quarantined, the "whole message file" (including
headers) is stored in the quarantine (not the file containing just the
body), so a simplistic "file message" command will not show the root cause.
You need make a copy of that file and manually remove all the headers (and
the blank line separating the headers from the body), then run file (and
file -i) command on that to see the gory details:).

Provided one has the file -i column in filetypes.rules.conf (it is an
optional fifth column, meaning that you likely don't have it and need add
it yourself... The columns are <TAB> -separated!), you can use the file -i
commands "findings" in that column, for the line that triggers the
blocking.... Having lines with file -i "syntax" will make the file -i take
precedence ... I think, at least.
The common practice of changing the "File Command = " setting to the file
-i command is perhaps less work, but it is also less secure, since the
string matching on the result may be even less reliable than usual. Then
again, file type checking is more of an art than a science:-):-).

As I'm sure you've noticed, this isn't a new problem, it has been with
MailScanner for quite a few years (if not since the very begining). The
methods for fixing the problem has varied over the years (editing the magic
file, reporting it to the file command maintainers as a bug, using file -i
straight up etc), but the interface Jules has provided is actually the very
best imaginable, so do explore that... In a stock filetype.rules.conf file
there is even an example for the DOS executables that file -i might find
(hopefully a bit more securely than the plain file command... Though the
commands are actually one and the same, the -i uses a different magic file,
not just different descriptive strings).

Changing the ClamAV setting shown above to "no" will make this problem a
lot less common (read: go away completely:-), as well, so that might be
another very viable option... If you use more than one AV, you don't lose
that much security by doing so.

Cheers!
-- 
-- Glenn

Den 22 mar 2013 16:40 skrev "Nikolaos Pavlidis" <
Nikolaos.Pavlidis at beds.ac.uk>:

> Hello all,
>
> I'm having an issue with Mailscanner which weirdly enough has been already
> discussed here
>
> http://markmail.org/message/56fofuvh4tzde7hz#query:+page:1+mid:mu77m5qs6zjhh2jx+state:results
>
> The problem is:
>
> Mar 22 15:00:18 smtp1 MailScanner[17935]: Filetype Checks: No executables
> (r2JAPluH011324 )
> Mar 22 15:00:46 smtp1 MailScanner[17935]: Saved entire message to
> /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324
>
> And:
>
> [root at smtp1 r2JAPluH011324]# pwd
> /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324
> [root at smtp1 r2JAPluH011324]# ll
> total 28K
> -rw------- 1 root root  22K Mar 22 15:00 dfr2JAPluH011324
> -rw------- 1 root root 3.7K Mar 22 15:00 qfr2JAPluH011324
> [root at smtp1 r2JAPluH011324]# file -i *
> dfr2JAPluH011324: text/plain; charset=us-ascii
> qfr2JAPluH011324: text/plain; charset=unknown
>
> But I have also added the lines suggested in the previous thread so my
> filetype.rules.conf looks like:
>
> <snip>
> allow   text            -                       -
> allow   -       text/plain      -                       -
> allow   -       text/x-mail     -                       -
> allow   -       message/rfc822  -                       -
> allow   \bscript        -                       -
> allow   archive         -                       -
> allow   postscript      -                       -
> deny    self-extract    No self-extracting archives     No self-extracting
> archives allowed
> deny    executable      No executables          No programs allowed
> <snip>
>
> I have restarted mailscanner before re-queuing the message but always the
> same result...
>
> Any ideas/recommendations would be much appreciated,
>
> Kind regards,
>
> Nik
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130405/49ac9118/attachment.html

More information about the MailScanner mailing list