Filename Restrictions Not working

Denis Beauchemin Denis.Beauchemin at usherbrooke.ca
Fri Feb 20 13:53:13 GMT 2015


My MailScanner --lint returns:
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Fichiers COM dangereux (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

I'm running version 4.84.5 on RHEL 6.6 with a lot of Perl stuff not up to date because I put exclude=perl* in /etc/yum.conf just to make sure an update does not cause trouble.

Denis

-----Message d'origine-----
De : mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] De la part de James Nelson
Envoyé : 19 février 2015 16:19
À : MailScanner discussion
Objet : RE: Filename Restrictions Not working

One thing of note...maybe, maybe not...is that when I run MailScanner --lint , I notice this:

Filename Checks: Windows/DOS Executable (1 eicar.com) Filetype Checks: Allowing 1 eicar.com (no match found)

If my filename\type checks were working, shouldn't it be denying that type, given that I have excecutables configured (as default) to deny in my filetype.rules.conf?



"a rockpile ceases to be a rockpile the moment a single man contemplates it, bearing within him the image of a cathedral."


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin Miller
Sent: Wednesday, February 18, 2015 6:21 PM
To: 'MailScanner discussion'
Subject: RE: Filename Restrictions Not working

Do you have filename.rules and filetype.rules files or did you edit MailScanner.conf?

Here's my filename/type rules.  They're the default.  I presume they match yours.

/etc/MailScanner # cat filename.rules
From:           127.0.0.1       /etc/MailScanner/filename.rules.allowall.conf
FromOrTo:       default         /etc/MailScanner/filename.rules.conf

/etc/MailScanner # cat filetype.rules
From:           127.0.0.1       /etc/MailScanner/filetype.rules.allowall.conf
FromOrTo:       default         /etc/MailScanner/filetype.rules.conf

/etc/MailScanner # cat filename.rules.allowall.conf 
allow   .*      -       -

A while back I was having an issue where an Office365 Word doc was getting flagged as an executable and blocked.  I tried using the "Allow Filenames" and "Allow Filetypes" in MailScanner.conf.  The notes in there said that I'd have to an entry for both name and type.  I set "Allow Filetypes = \.exe$" and "Allow Filenames = /[0-9a-f]{4}\.dat$/I".  (I was trying to allow .dat files with a four character name composed of hexadecimal characters.  Specifically 0000.dat but not limited to it.)   The notes said the exception would have to match both rules to pass.  It didn't.  It had the odd effect of letting any .exe file through regardless of the name.

Have you tried reverting the filename.rules and filetype.rules back to the stock setting and mucking around in filename.rules.conf or filetype.rules.conf instead?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


More information about the MailScanner mailing list