filename/filetype not working properly

Kevin Miller kevin.miller at juneau.org
Fri Jan 23 21:31:50 GMT 2015 

Recently, someone tried to send one of my users an MS Office document which was blocked due to a disallowed file (0000.dat).  It turns out that we likely ran afoul of Microsoft's once again forgetting their not the only kid in the sandbox.  See:
https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5-293c-48bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer-if-you-edit-properties-online-bug-

(talk about an ugly URL!)

I'm not sure why 0000.dat would be flagged as executable.  The message wasn't quarantined - it was just dropped - so I can't examine it.  Regardless, I expect we'll see this issue more in the future so I made the following changes in MailScanner.conf:

Allow Filenames = [0-9a-f]{4}.dat$
Allow Filetypes =   executable

The verbiage above the "Allow Filenames" indicates that it's an "and" operation - that is, the filename has to match, *and* I need to allow executable filetypes.  To test this, I copied /bin/grep, knowing it's an executable file that will otherwise be rejected, then sent it to myself with various filenames.

The results of the test are as follows:

grep		allowed
grep.exe	blocked
0000.abc	allowed
0000.dat	allowed
0000.dot	allowed
0000.com	blocked
0000.pdf	allowed
1234.abc	allowed

My understanding of the comments in MailScanner.conf is that both rules have to match for the attachment to be allowed but clearly this isn't the case. It's the same file. They should all be blocked except 0000.dat.

Using the file command on all the files mentioned (all copies of /bin/grep) returns this (with their respective filename of course):

$ file 0000.dot
0000.dot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped

ELF files are disallowed in filetype.rules.conf (a MailScanner default setting).  Since the attachment was named 0000.dot, not 0000.dat, it should have been disallowed.

What am I missing here?  

Has anyone else run into the issue of Office 365 documents being filtered?  How are you dealing with it?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

More information about the MailScanner mailing list