filename/filetype not working properly
Tracy Greggs
mailscanner-list at okla.com
Sat Jan 24 00:14:01 GMT 2015
I have had some fun with Office .xlsb and workbook.bin attachments in
emails. The .xlsb files get through fine but the .bin files are detected as
executables.
My fix for this, right or wrong, was to upgrade the "file" command on Centos
6.6 from file-5.04 to the latest file-5.22.
Bad thing is rpm-build on Centos 6.6 base repo requires file-5.04
Make install on the file-5.22 puts the "file" binary in /usr/local/bin
instead of the stock location of /usr/bin, so If you try my fix, make sure
you change the path to file in MailScanner.conf or perhaps make a symlink.
Regards,
Tracy Greggs
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin
Miller
Sent: Friday, January 23, 2015 3:32 PM
To: MailScanner List (mailscanner at lists.mailscanner.info)
Subject: filename/filetype not working properly
Recently, someone tried to send one of my users an MS Office document which
was blocked due to a disallowed file (0000.dat). It turns out that we
likely ran afoul of Microsoft's once again forgetting their not the only kid
in the sandbox. See:
https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5-293c-4
8bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer-if-you
-edit-properties-online-bug-
(talk about an ugly URL!)
I'm not sure why 0000.dat would be flagged as executable. The message
wasn't quarantined - it was just dropped - so I can't examine it.
Regardless, I expect we'll see this issue more in the future so I made the
following changes in MailScanner.conf:
Allow Filenames = [0-9a-f]{4}.dat$
Allow Filetypes = executable
The verbiage above the "Allow Filenames" indicates that it's an "and"
operation - that is, the filename has to match, *and* I need to allow
executable filetypes. To test this, I copied /bin/grep, knowing it's an
executable file that will otherwise be rejected, then sent it to myself with
various filenames.
The results of the test are as follows:
grep allowed
grep.exe blocked
0000.abc allowed
0000.dat allowed
0000.dot allowed
0000.com blocked
0000.pdf allowed
1234.abc allowed
My understanding of the comments in MailScanner.conf is that both rules have
to match for the attachment to be allowed but clearly this isn't the case.
It's the same file. They should all be blocked except 0000.dat.
Using the file command on all the files mentioned (all copies of /bin/grep)
returns this (with their respective filename of course):
$ file 0000.dot
0000.dot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.6.26,
BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped
ELF files are disallowed in filetype.rules.conf (a MailScanner default
setting). Since the attachment was named 0000.dot, not 0000.dat, it should
have been disallowed.
What am I missing here?
Has anyone else run into the issue of Office 365 documents being filtered?
How are you dealing with it?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list