Issue with MailScanner not blocking incoming attachments that SHOULD be denied.

Mark Sapiro mark at msapiro.net
Thu Nov 14 06:52:03 GMT 2013 

On 11/13/2013 05:24 PM, Jason Young wrote:
> 
> The file is a windows executable ... I have tried a .exe and now also a .com
> file wit hteh same result (mail is not blocked / quarantined).
> 
> I put the test files onto the centos box and ran the "file" & "file -i"
> command over them
> 
> [root at mailscanner ~]# file test.exe
> test.exe: PE32+ executable for MS Windows (console) Mono/.Net assembly
> [root at mailscanner ~]# file test.com
> test.com: PE32 executable for MS Windows (console) Intel 80386 32-bit
> [root at mailscanner ~]# file -i test.com
> test.com: application/octet-stream; charset=binary
> [root at mailscanner ~]# file -i test.exe
> test.exe: application/octet-stream; charset=binary
> 
> I had read on a forum somewhere that someone recommended changing the
> MailScanner.conf file command to file -i .. But it does not seem to make any
> difference.


It makes a difference in what is reported. I.e., file reports the files
as executable which matches 'deny executable' in filetype.rules.conf,
but file -i reports then as application/octet-stream which is not
mentioned in filetype.rules.conf and thus allowed.

man file says in part

i, --mime
       Causes the file command to output mime type strings rather than
       the more traditional human  readable  ones.  Thus  it  may  say
       ‘‘text/plain;  charset=us-ascii’’  rather  than ‘‘ASCII text’’.


> There does not seem to be anything in the headers about a .exe or anything
> about attachments.  But outlook knows there is a .exe or .com attachment and
> it blocks it with itself.


The original headers you posted contained

>> Content-Type: multipart/mixed; boundary="----=_20131114101356_40730"

If you examine the raw message body of that message, you should see
things like

------=_20131114101356_40730
Content-Type: text/plain; charset="..."

 (message 'body')

------=_20131114101356_40730
Content-Type: application/octet-stream; name="xxx.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="xxx.exe"

  (base 64 encoded data)
------=_20131114101356_40730--

What do those Content-Type: and Content-Disposition: headers look like
for your attached file? (Sorry, I can't tell you how to view the raw
message in Outlook.)

If they do have the expected .exe or .com extension, then I don't know
what the problem might be.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list