Filename Restrictions Not working

Scott B. Anderson sbanderson at impromed.com
Fri Feb 20 02:12:49 GMT 2015 

FWIW - I've been running 4.84.3 on both a Fedora custom source build derivative (long story, can't get stock kernels to see the software based reiserfs boot volume) and a current unbuntu server LTS.   Both catch eicar and sent two notifications - depends on your notification settings.  I use a ruleset to send virus, spam and file denies to people in my domain but the default is to turn it off.   If you were getting a ton of undeliverable emails you might have turned one of the notifications off rather than using a domain based ruleset, you might have disabled other notifications as well.

I am eagerly awaiting the new release to be considered Beta instead of Alpha in tar (not rpm or deb) form before going further.


Scott


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller
Sent: Thursday, February 19, 2015 7:20 PM
To: 'MailScanner discussion'
Subject: RE: Filename Restrictions Not working

Hmmm.  If it's not a production server I'd say wipe it and reinstall from scratch at this point.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357


> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of James Nelson
> Sent: Thursday, February 19, 2015 1:09 PM
> To: MailScanner discussion
> Subject: RE: Filename Restrictions Not working
>
> Right, and clamd is detecting that successfully, but as noted in the
> earlier message, it is being inspected via the File check, detected as
> an executable, and then "allowed."  If it's not working at that level
> in a test scenario, I'm probably hopeless for it to work on anything
> else
> :)
>
> MailScanner is version 4.84.6, Centos 6.6, file is version 5.04
>
> "a rockpile ceases to be a rockpile the moment a single man
> contemplates it, bearing within him the image of a cathedral."
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Kevin Miller
> Sent: Thursday, February 19, 2015 3:31 PM
> To: 'MailScanner discussion'
> Subject: RE: Filename Restrictions Not working
>
> Eicar is a virus test signature.  It should be caught by your virus
> scanner.  It should also be denied by filetype checks.  If it gets
> that far.  I don't recall which happens first, virus checking or spam
> checking.  I think filename/type checking would fall under the spam
> check umbrella...
>
> Refresh our memory, what distro and version are you running?  What
> version of file do you have?
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No:
> 307357
>
>
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner- bounces at lists.mailscanner.info] On Behalf Of
> > James Nelson
> > Sent: Thursday, February 19, 2015 12:12 PM
> > To: MailScanner discussion
> > Subject: RE: Filename Restrictions Not working
> >
> > One thing of note...maybe, maybe not...is that when I run
> > MailScanner
> > -- lint , I notice this:
> >
> > Filename Checks: Windows/DOS Executable (1 eicar.com) Filetype Checks:
> > Allowing 1 eicar.com (no match found)
> >
> > If my filename\type checks were working, shouldn't it be denying
> > that type, given that I have excecutables configured (as default) to
> > deny in my filetype.rules.conf?
> >
> >
> >
> > "a rockpile ceases to be a rockpile the moment a single man
> > contemplates it, bearing within him the image of a cathedral."
> >
> >
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner- bounces at lists.mailscanner.info] On Behalf Of
> > Kevin Miller
> > Sent: Wednesday, February 18, 2015 6:21 PM
> > To: 'MailScanner discussion'
> > Subject: RE: Filename Restrictions Not working
> >
> > Do you have filename.rules and filetype.rules files or did you edit
> > MailScanner.conf?
> >
> > Here's my filename/type rules.  They're the default.  I presume they
> > match yours.
> >
> > /etc/MailScanner # cat filename.rules
> > From:           127.0.0.1
> > /etc/MailScanner/filename.rules.allowall.conf
> > FromOrTo:       default         /etc/MailScanner/filename.rules.conf
> >
> > /etc/MailScanner # cat filetype.rules
> > From:           127.0.0.1
> > /etc/MailScanner/filetype.rules.allowall.conf
> > FromOrTo:       default         /etc/MailScanner/filetype.rules.conf
> >
> > /etc/MailScanner # cat filename.rules.allowall.conf
> > allow   .*      -       -
> >
> > A while back I was having an issue where an Office365 Word doc was
> > getting flagged as an executable and blocked.  I tried using the
> > "Allow Filenames" and "Allow Filetypes" in MailScanner.conf.  The
> > notes in there said that I'd have to an entry for both name and type.
> > I set "Allow Filetypes = \.exe$" and "Allow Filenames = /[0-9a-
> f]{4}\.dat$/I".
> > (I was trying to allow .dat files with a four character name
> > composed of hexadecimal characters.  Specifically 0000.dat but not
> > limited to
> > it.) The notes said the exception would have to match both rules to
> > pass.  It didn't.  It had the odd effect of letting any .exe file
> > through regardless of the name.
> >
> > Have you tried reverting the filename.rules and filetype.rules back
> > to the stock setting and mucking around in filename.rules.conf or
> > filetype.rules.conf instead?
> >
> > ...Kevin
> > --
> > Kevin Miller
> > Network/email Administrator, CBJ MIS Dept.
> > 155 South Seward Street
> > Juneau, Alaska 99801
> > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No:
> > 307357
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
...

-- 
Rely On Us.
ImproMed LLC
--

More information about the MailScanner mailing list