filename/filetype not working properly

Kevin Miller kevin.miller at
Fri Jan 23 21:31:50 GMT 2015

Recently, someone tried to send one of my users an MS Office document which was blocked due to a disallowed file (0000.dat).  It turns out that we likely ran afoul of Microsoft's once again forgetting their not the only kid in the sandbox.  See:

(talk about an ugly URL!)

I'm not sure why 0000.dat would be flagged as executable.  The message wasn't quarantined - it was just dropped - so I can't examine it.  Regardless, I expect we'll see this issue more in the future so I made the following changes in MailScanner.conf:

Allow Filenames = [0-9a-f]{4}.dat$
Allow Filetypes =   executable

The verbiage above the "Allow Filenames" indicates that it's an "and" operation - that is, the filename has to match, *and* I need to allow executable filetypes.  To test this, I copied /bin/grep, knowing it's an executable file that will otherwise be rejected, then sent it to myself with various filenames.

The results of the test are as follows:

grep		allowed
grep.exe	blocked	allowed
0000.dat	allowed	allowed	blocked
0000.pdf	allowed	allowed

My understanding of the comments in MailScanner.conf is that both rules have to match for the attachment to be allowed but clearly this isn't the case. It's the same file. They should all be blocked except 0000.dat.

Using the file command on all the files mentioned (all copies of /bin/grep) returns this (with their respective filename of course):

$ file ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped

ELF files are disallowed in filetype.rules.conf (a MailScanner default setting).  Since the attachment was named, not 0000.dat, it should have been disallowed.

What am I missing here?  

Has anyone else run into the issue of Office 365 documents being filtered?  How are you dealing with it?

Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 

More information about the MailScanner mailing list