Filename Restrictions Not working
Kevin Miller
kevin.miller at juneau.org
Fri Feb 13 22:31:45 GMT 2015
Just a swag, but you've stopped the Postfix daemon and took it out of the startup config, right? I use sendmail, not Postfix (yet), but sometimes an upgrade would put sendmail back into the startup routines, and I'd have mail coming in via sendmail that bypasses MailScanner.
It may not be the case here, but easy enough to double-check...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of James Nelson
Sent: Friday, February 13, 2015 12:54 PM
To: MailScanner discussion
Subject: RE: Filename Restrictions Not working
Additional details: Running on CentOS 6.6, MTA is Postfix. I've covered all of the settings in MailScanner.conf that seem to be pertinent-scanning is enabled, proper location for /usr/bin/file, which I can run against the files being allowed through, to the expected result. If I run a MailScanner -lint , I don't see any mention made of the attachment rules being read, but that may be by design.
filename.rules.conf
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/rename/rename to replacement-text/email-addresses,
# then regular expression,
# then log text,
# then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.
# If a rule is a "rename" rule, then the attachment filename will be renamed
# according to the "Default Rename Pattern" setting in MailScanner.conf.
# If a rule is a "rename" rule and the "to replacement-text" is supplied, then
# the text matched by the regular expression in the 2nd field of the line
# will be replaced with the "replacement-text" string.
# For example, the rule
# rename to .ppt \.pps$ Renamed .pps to .ppt Renamed .pps to .ppt
# will find all filenames ending in ".pps" and rename them so they end in
# ".ppt" instead.
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
# JKF 10/08/2007 Adobe Acrobat nastiness
rename \.fdf$ Dangerous Adobe Acrobat data-file Opening this file can cause auto-loading of any file from the internet
# JKF 04/01/2005 More Microsoft security vulnerabilities
deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows
deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows
deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows
#deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows
# These 4 are well known viruses.
deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
deny happy99\.exe$ "Happy" virus "Happy" virus
deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus
# JKF 08/07/2005 Several virus scanners may miss this one
deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses
# These are in the archives which are Microsoft Office 2007 files (e.g. docx)
allow \.xml\d*\.rel$ - -
allow \.x\d+\.rel$ - -
allow \.rtf$ - -
# These are known to be mostly harmless.
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
allow \.txt$ - -
deny \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
# PGP and GPG
allow \.gpg$ - -
allow \.pgp$ - -
allow \.sig$ - -
allow \.asc$ - -
# Macintosh archives
allow \.hqx$ - -
allow \.sit.bin$ - -
allow \.sea$ - -
# Backup files
allow \.bak$ - -
# And TeX and LaTeX are harmless AFAIK
allow \.tex$ - -
# These are known to be dangerous in almost all cases.
deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email
deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
# Removed ".mat" from next line as widely used by Matlab
deny \.ma[dfgmqrsvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email
# These are new dangerous attachment types according to Microsoft in
# http://support.microsoft.com/?kbid=883260
deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
#deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
deny \.bat$ Possible malicious batch file script Batch files are often malicious
deny \.cmd$ Possible malicious batch file script Batch files are often malicious
deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
# Deny filenames with lots of contiguous white space in them.
deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it
# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$ - -
# Allow days of the week and months in doc names, e.g. blah.wed.doc
allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -
allow \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ - -
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
filetype.rules.conf:
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
# then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.
#
# If none of the rules match, then the filetype is allowed.
#
# An optional fifth field can also be added before the "log text", which
# makes the checked text check against the MIME type of the attachment
# as determined by the output of the "file -i" command.
allow text - -
allow \bscript - -
allow archive - -
allow postscript - -
deny self-extract No self-extracting archives No self-extracting archives allowed
deny executable No executables No programs allowed
#EXAMPLE: deny - x-dosexec No DOS executables No DOS programs alloweddeny ELF No executables No programs allowed
deny Registry No Windows Registry entries No Windows Registry files allowed
#deny MPEG No MPEG movies No MPEG movies allowed
#deny AVI No AVI movies No AVI movies allowed
#deny MNG No MNG/PNG movies No MNG movies allowed
#deny QuickTime No QuickTime movies No QuickTime movies allowed
#deny ASF No Windows media No Windows media files allowed
#deny metafont No Windows Metafont drawings No WMF drawings allowed
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of James Nelson
Sent: Friday, February 13, 2015 2:35 PM
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Subject: Filename Restrictions Not working
Hello,
I am having an issue where none of my filetype rules seem to be working. I can send a test message with something as clearly dangerous as a .bat or .scr file, and MailScanner allows it through regardless. My filetype.rules.conf and filename.rules.conf (and their archive counterparts) are in their default state, and my Mail.conf points to the rules files in %rules-dir% appropriate for each section. The rules files are tabbed properly, with a simple:
FromOrTo: default /etc/MailScanner/filename.rules.conf
No matter what I've tried, MailScanner still allows everything through, even if I explicitly deny a file type in Mail.conf (without using a ruleset).
Any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20150213/80fa08dd/attachment.html
More information about the MailScanner
mailing list