Filename Restrictions Not working

James Nelson James.Nelson at vgt.net
Fri Feb 13 21:54:02 GMT 2015


Additional details:  Running on CentOS 6.6, MTA is Postfix.  I've covered all of the settings in MailScanner.conf that seem to be pertinent-scanning is enabled, proper location for /usr/bin/file, which I can run against the files being allowed through, to the expected result.  If I run a MailScanner -lint ,  I don't see any mention made of the attachment rules being read, but that may be by design.

filename.rules.conf

#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/rename/rename to replacement-text/email-addresses,
#           then regular expression,
#           then log text,
#           then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.

# If a rule is a "rename" rule, then the attachment filename will be renamed
# according to the "Default Rename Pattern" setting in MailScanner.conf.
# If a rule is a "rename" rule and the "to replacement-text" is supplied, then
# the text matched by the regular expression in the 2nd field of the line
# will be replaced with the "replacement-text" string.
# For example, the rule
# rename to .ppt        \.pps$  Renamed .pps to .ppt    Renamed .pps to .ppt
# will find all filenames ending in ".pps" and rename them so they end in
# ".ppt" instead.

# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny    .{150,}                 Very long filename, possible OE attack                                          Very long filenames are good signs of attacks against Microsoft e-mail packages

# JKF 10/08/2007 Adobe Acrobat nastiness
rename  \.fdf$                  Dangerous Adobe Acrobat data-file                                            Opening this file can cause auto-loading of any file from the internet

# JKF 04/01/2005 More Microsoft security vulnerabilities
deny    \.ico$                  Windows icon file security vulnerability                                   Possible buffer overflow in Windows
deny    \.ani$                  Windows animated cursor file security vulnerability                           Possible buffer overflow in Windows
deny    \.cur$                  Windows cursor file security vulnerability                                   Possible buffer overflow in Windows
#deny   \.hlp$                  Windows help file security vulnerability                                   Possible buffer overflow in Windows

# These 4 are well known viruses.
deny    pretty\s+park\.exe$     "Pretty Park" virus                                                           "Pretty Park" virus
deny    happy99\.exe$           "Happy" virus                                                                   "Happy" virus
deny    \.ceo$          WinEvar virus attachment                                                      Often used by the WinEvar virus
deny    webpage\.rar$   I-Worm.Yanker virus attachment                                                      Often used by the I-Worm.Yanker virus

# JKF 08/07/2005 Several virus scanners may miss this one
deny    \.cab$                  Possible malicious Microsoft cabinet file                                    Cabinet files may hide viruses

# These are in the archives which are Microsoft Office 2007 files (e.g. docx)
allow   \.xml\d*\.rel$          -       -
allow   \.x\d+\.rel$            -       -
allow   \.rtf$                  -       -

# These are known to be mostly harmless.
allow   \.jpg$                  -       -
allow   \.gif$                  -       -
# .url is arguably dangerous, but I can't just ban it...
allow   \.url$                  -       -
allow   \.vcf$                  -       -
allow   \.txt$                  -       -
deny    \.zip$                  -       -
allow   \.t?gz$                 -       -
allow   \.bz2$                  -       -
allow   \.Z$                    -       -
allow   \.rpm$                  -       -
# PGP and GPG
allow   \.gpg$                  -       -
allow   \.pgp$                  -       -
allow   \.sig$                  -       -
allow   \.asc$                  -       -
# Macintosh archives
allow   \.hqx$                  -       -
allow   \.sit.bin$              -       -
allow   \.sea$                  -       -
# Backup files
allow   \.bak$                  -       -
# And TeX and LaTeX are harmless AFAIK
allow   \.tex$                  -       -

# These are known to be dangerous in almost all cases.
deny    \.reg$          Possible Windows registry attack                                          Windows registry entries are very dangerous in email
deny    \.chm$          Possible compiled Help file-based virus                                           Compiled help files are very dangerous in email
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
deny    \.cnf$          Possible SpeedDial attack                                                  SpeedDials are very dangerous in email
deny    \.hta$          Possible Microsoft HTML archive attack                                          HTML archives are very dangerous in email
deny    \.ins$          Possible Microsoft Internet Comm. Settings attack                          Windows Internet Settings are dangerous in email
deny    \.jse?$         Possible Microsoft JScript attack                                          JScript Scripts are dangerous in email
deny    \.job$          Possible Microsoft Task Scheduler attack                                  Task Scheduler requests are dangerous in email
deny    \.lnk$          Possible Eudora *.lnk security hole attack                                  Eudora *.lnk security hole attack
# Removed ".mat" from next line as widely used by Matlab
deny    \.ma[dfgmqrsvw]$        Possible Microsoft Access Shortcut attack                          Microsoft Access Shortcuts are dangerous in email
deny    \.pif$          Possible MS-Dos program shortcut attack                                          Shortcuts to MS-Dos programs are very dangerous in email
deny    \.scf$          Possible Windows Explorer Command attack                                  Windows Explorer Commands are dangerous in email
deny    \.sct$          Possible Microsoft Windows Script Component attack                          Windows Script Components are dangerous in email
deny    \.shb$          Possible document shortcut attack                                          Shortcuts Into Documents are very dangerous in email
deny    \.shs$          Possible Shell Scrap Object attack                                          Shell Scrap Objects are very dangerous in email
deny    \.vb[es]$       Possible Microsoft Visual Basic script attack                                  Visual Basic Scripts are dangerous in email
deny    \.ws[cfh]$      Possible Microsoft Windows Script Host attack                                  Windows Script Host files are dangerous in email
deny    \.xnk$          Possible Microsoft Exchange Shortcut attack                                  Microsoft Exchange Shortcuts are dangerous in email

# These are new dangerous attachment types according to Microsoft in
# http://support.microsoft.com/?kbid=883260
deny    \.cer$          Dangerous Security Certificate (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
deny    \.its$          Dangerous Internet Document Set (according to Microsoft)                      Dangerous attachment according to Microsoft Q883260
deny    \.mau$          Dangerous attachment type (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
deny    \.md[az]$       Dangerous attachment type (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
deny    \.prf$          Dangerous Outlook Profile Settings (according to Microsoft)                      Dangerous attachment according to Microsoft Q883260
deny    \.pst$          Dangerous Office Data File (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
#deny   \.tmp$          Dangerous Temporary File (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
deny    \.vsmacros$     Dangerous Visual Studio Macros (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
deny    \.vs[stw]$      Dangerous attachment type (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260
deny    \.ws$           Dangerous Windows Script (according to Microsoft)                              Dangerous attachment according to Microsoft Q883260


# These 2 added by popular demand - Very often used by viruses
deny    \.com$          Windows/DOS Executable                                                              Executable DOS/Windows programs are dangerous in email
deny    \.exe$          Windows/DOS Executable                                                              Executable DOS/Windows programs are dangerous in email

# These are very dangerous and have been used to hide viruses
deny    \.scr$          Possible virus hidden in a screensaver                                             Windows Screensavers are often used to hide viruses
deny    \.bat$          Possible malicious batch file script                                          Batch files are often malicious
deny    \.cmd$          Possible malicious batch file script                                          Batch files are often malicious
deny    \.cpl$          Possible malicious control panel item                                            Control panel items are often used to hide viruses
deny    \.mhtml$        Possible Eudora meta-refresh attack                                          MHTML files can be used in an attack against Eudora

# Deny filenames containing CLSID's
deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type                            Files containing  CLSID's are trying to hide their real type

# Deny filenames with lots of contiguous white space in them.
deny    \s{10,}         Filename contains lots of white space                                           A long gap in a name is often used to hide part of it

# Allow repeated file extension, e.g. blah.zip.zip
allow   (\.[a-z0-9]{3})\1$      -       -

# Allow days of the week and months in doc names, e.g. blah.wed.doc
allow   \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$   -       -
allow   \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$  -       -

# Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding                          Attempt to hide real filename extension


filetype.rules.conf:

#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
#           then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.
#
# If none of the rules match, then the filetype is allowed.
#
# An optional fifth field can also be added before the "log text", which
# makes the checked text check against the MIME type of the attachment
# as determined by the output of the "file -i" command.

allow   text            -                       -
allow   \bscript        -                       -
allow   archive         -                       -
allow   postscript      -                       -
deny    self-extract    No self-extracting archives     No self-extracting archives allowed
deny    executable      No executables          No programs allowed
#EXAMPLE: deny  -       x-dosexec       No DOS executables      No DOS programs alloweddeny     ELF             No executables          No programs allowed
deny    Registry        No Windows Registry entries     No Windows Registry files allowed

#deny   MPEG            No MPEG movies          No MPEG movies allowed
#deny   AVI             No AVI movies           No AVI movies allowed
#deny   MNG             No MNG/PNG movies       No MNG movies allowed
#deny   QuickTime       No QuickTime movies     No QuickTime movies allowed
#deny   ASF             No Windows media        No Windows media files allowed
#deny   metafont        No Windows Metafont drawings    No WMF drawings allowed


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of James Nelson
Sent: Friday, February 13, 2015 2:35 PM
To: mailscanner at lists.mailscanner.info
Subject: Filename Restrictions Not working

Hello,

I am having an issue where none of my filetype rules seem to be working.  I can send a test message with something as clearly dangerous as a .bat or .scr file, and MailScanner allows it through regardless.  My filetype.rules.conf and filename.rules.conf (and their archive counterparts) are in their default state, and my Mail.conf points to the rules files in %rules-dir% appropriate for each section.  The rules files are tabbed properly, with a simple:
FromOrTo:          default /etc/MailScanner/filename.rules.conf

No matter what I've tried, MailScanner still allows everything through, even if I explicitly deny a file type in Mail.conf (without using a ruleset).

Any suggestions?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150213/faa16c5f/attachment-0001.html 


More information about the MailScanner mailing list