filename/filetype not working properly

Tracy Greggs mailscanner-list at
Sat Jan 24 00:14:01 GMT 2015

I have had some fun with Office .xlsb and workbook.bin attachments in
emails.  The .xlsb files get through fine but the .bin files are detected as

My fix for this, right or wrong, was to upgrade the "file" command on Centos
6.6 from file-5.04 to the latest file-5.22.  

Bad thing is rpm-build on Centos 6.6 base repo requires file-5.04

Make install on the file-5.22 puts the "file" binary in /usr/local/bin
instead of the stock location of /usr/bin, so If you try my fix, make sure
you change the path to file in MailScanner.conf or perhaps make a symlink.

Tracy Greggs

-----Original Message-----
From: mailscanner-bounces at
[mailto:mailscanner-bounces at] On Behalf Of Kevin
Sent: Friday, January 23, 2015 3:32 PM
To: MailScanner List (mailscanner at
Subject: filename/filetype not working properly

Recently, someone tried to send one of my users an MS Office document which
was blocked due to a disallowed file (0000.dat).  It turns out that we
likely ran afoul of Microsoft's once again forgetting their not the only kid
in the sandbox.  See:

(talk about an ugly URL!)

I'm not sure why 0000.dat would be flagged as executable.  The message
wasn't quarantined - it was just dropped - so I can't examine it.
Regardless, I expect we'll see this issue more in the future so I made the
following changes in MailScanner.conf:

Allow Filenames = [0-9a-f]{4}.dat$
Allow Filetypes =   executable

The verbiage above the "Allow Filenames" indicates that it's an "and"
operation - that is, the filename has to match, *and* I need to allow
executable filetypes.  To test this, I copied /bin/grep, knowing it's an
executable file that will otherwise be rejected, then sent it to myself with
various filenames.

The results of the test are as follows:

grep		allowed
grep.exe	blocked	allowed
0000.dat	allowed	allowed	blocked
0000.pdf	allowed	allowed

My understanding of the comments in MailScanner.conf is that both rules have
to match for the attachment to be allowed but clearly this isn't the case.
It's the same file. They should all be blocked except 0000.dat.

Using the file command on all the files mentioned (all copies of /bin/grep)
returns this (with their respective filename of course):

$ file ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.6.26,
BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped

ELF files are disallowed in filetype.rules.conf (a MailScanner default
setting).  Since the attachment was named, not 0000.dat, it should
have been disallowed.

What am I missing here?  

Has anyone else run into the issue of Office 365 documents being filtered?
How are you dealing with it?

Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 

MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list