Issue with MailScanner not blocking incoming attachments that SHOULD be denied.

Thu Nov 14 01:24:50 GMT 2013

Hi Mark,

The file is a windows executable ... I have tried a .exe and now also a .com
file wit hteh same result (mail is not blocked / quarantined).

I put the test files onto the centos box and ran the "file" & "file -i"
command over them

[root at mailscanner ~]# file test.exe
test.exe: PE32+ executable for MS Windows (console) Mono/.Net assembly
[root at mailscanner ~]# file test.com
test.com: PE32 executable for MS Windows (console) Intel 80386 32-bit
[root at mailscanner ~]# file -i test.com
test.com: application/octet-stream; charset=binary
[root at mailscanner ~]# file -i test.exe
test.exe: application/octet-stream; charset=binary

I had read on a forum somewhere that someone recommended changing the
MailScanner.conf file command to file -i .. But it does not seem to make any
difference.

There does not seem to be anything in the headers about a .exe or anything
about attachments.  But outlook knows there is a .exe or .com attachment and
it blocks it with itself.

Regards

Jason Young

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Thursday, 14 November 2013 10:25 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Issue with MailScanner not blocking incoming attachments that
SHOULD be denied.

On 11/13/2013 03:35 PM, Jason Young wrote:
> 
> My testing has so far been to use an external mail server to send an 
> attached windows executable file (.exe) to an internal exchange 
> account.  I have tried both using an outlook external client and also 
> a native Linux based web client with the same result (i.e. the exe 
> file is delivered to the exchange account).

Is the file actually a DOS executable file, i.e., what does the CentOS
'file' command say it is?

> And the email that arrives has the following header (extract):
> 
>  
> 
> Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"

And what are the part headers for the attached file? I.e. does it have a
name and does the name end in .exe?

> Running MailScanner -lint gives the following output :
...
> ======================================================================
> =====
> 
> Filename Checks: Windows/DOS Executable (1 eicar.com)

Here MailScanner recognizes a .com. Have you tried a .com in your testing.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com