Issue with MailScanner not blocking incoming attachments that SHOULD be denied.
Jason Young
jyoung71 at gmail.com
Thu Nov 14 01:24:50 GMT 2013
Hi Mark,
The file is a windows executable ... I have tried a .exe and now also a .com
file wit hteh same result (mail is not blocked / quarantined).
I put the test files onto the centos box and ran the "file" & "file -i"
command over them
[root at mailscanner ~]# file test.exe
test.exe: PE32+ executable for MS Windows (console) Mono/.Net assembly
[root at mailscanner ~]# file test.com
test.com: PE32 executable for MS Windows (console) Intel 80386 32-bit
[root at mailscanner ~]# file -i test.com
test.com: application/octet-stream; charset=binary
[root at mailscanner ~]# file -i test.exe
test.exe: application/octet-stream; charset=binary
I had read on a forum somewhere that someone recommended changing the
MailScanner.conf file command to file -i .. But it does not seem to make any
difference.
There does not seem to be anything in the headers about a .exe or anything
about attachments. But outlook knows there is a .exe or .com attachment and
it blocks it with itself.
Regards
Jason Young
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Thursday, 14 November 2013 10:25 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Issue with MailScanner not blocking incoming attachments that
SHOULD be denied.
On 11/13/2013 03:35 PM, Jason Young wrote:
>
> My testing has so far been to use an external mail server to send an
> attached windows executable file (.exe) to an internal exchange
> account. I have tried both using an outlook external client and also
> a native Linux based web client with the same result (i.e. the exe
> file is delivered to the exchange account).
Is the file actually a DOS executable file, i.e., what does the CentOS
'file' command say it is?
> And the email that arrives has the following header (extract):
>
>
>
> Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"
And what are the part headers for the attached file? I.e. does it have a
name and does the name end in .exe?
> Running MailScanner -lint gives the following output :
...
> ======================================================================
> =====
>
> Filename Checks: Windows/DOS Executable (1 eicar.com)
Here MailScanner recognizes a .com. Have you tried a .com in your testing.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
More information about the MailScanner
mailing list