filename/filetype not working properly

Kevin Miller kevin.miller at juneau.org
Sat Jan 24 01:22:34 GMT 2015


Thanks.  While browsing around I saw Martin Hepworth posted in 2012 that he had changed the File Command from "file" to "file -i" for a similar problem.  (See the last comment at http://community.spiceworks.com/topic/204481-release-banned-emails-from-amavisd-new)

Not sure if that will cure this or not. Since the person sending the original problem message works outside my organization it's hard to do multiple tests with the offending file.  I may have to see if I can get a copy outside of company email (i.e. ftp or something)

My gateways are running on old SUSE boxes - I need to upgrade them as soon as I can find the time but updating file on them isn't doable.  I'll have to check what version of file CentOS 7 uses - if I have to rebuild a box, I may as well use the latest/greatest...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 


> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Tracy Greggs
> Sent: Friday, January 23, 2015 3:14 PM
> To: 'MailScanner discussion'
> Subject: RE: filename/filetype not working properly
> 
> I have had some fun with Office .xlsb and workbook.bin attachments in
> emails.  The .xlsb files get through fine but the .bin files are
> detected as executables.
> 
> My fix for this, right or wrong, was to upgrade the "file" command on
> Centos 6.6 from file-5.04 to the latest file-5.22.
> 
> Bad thing is rpm-build on Centos 6.6 base repo requires file-5.04
> 
> Make install on the file-5.22 puts the "file" binary in /usr/local/bin
> instead of the stock location of /usr/bin, so If you try my fix, make
> sure you change the path to file in MailScanner.conf or perhaps make a
> symlink.
> 
> Regards,
> Tracy Greggs
> 
> 
> 
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin
> Miller
> Sent: Friday, January 23, 2015 3:32 PM
> To: MailScanner List (mailscanner at lists.mailscanner.info)
> Subject: filename/filetype not working properly
> 
> Recently, someone tried to send one of my users an MS Office document
> which was blocked due to a disallowed file (0000.dat).  It turns out
> that we likely ran afoul of Microsoft's once again forgetting their not
> the only kid in the sandbox.  See:
> https://social.technet.microsoft.com/Forums/sharepoint/en-US/287650b5-
> 293c-4
> 8bc-90ec-9e13a61a46a6/office365-word-document-docx-banned-from-mailer-
> if-you
> -edit-properties-online-bug-
> 
> (talk about an ugly URL!)
> 
> I'm not sure why 0000.dat would be flagged as executable.  The message
> wasn't quarantined - it was just dropped - so I can't examine it.
> Regardless, I expect we'll see this issue more in the future so I made
> the following changes in MailScanner.conf:
> 
> Allow Filenames = [0-9a-f]{4}.dat$
> Allow Filetypes =   executable
> 
> The verbiage above the "Allow Filenames" indicates that it's an "and"
> operation - that is, the filename has to match, *and* I need to allow
> executable filetypes.  To test this, I copied /bin/grep, knowing it's an
> executable file that will otherwise be rejected, then sent it to myself
> with various filenames.
> 
> The results of the test are as follows:
> 
> grep		allowed
> grep.exe	blocked
> 0000.abc	allowed
> 0000.dat	allowed
> 0000.dot	allowed
> 0000.com	blocked
> 0000.pdf	allowed
> 1234.abc	allowed
> 
> My understanding of the comments in MailScanner.conf is that both rules
> have to match for the attachment to be allowed but clearly this isn't
> the case.
> It's the same file. They should all be blocked except 0000.dat.
> 
> Using the file command on all the files mentioned (all copies of
> /bin/grep) returns this (with their respective filename of course):
> 
> $ file 0000.dot
> 0000.dot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
> dynamically linked (uses shared libs), for GNU/Linux 2.6.26,
> BuildID[sha1]=0x0002e5c8a1687334639fcf1c24b850879fefbd37, stripped
> 
> ELF files are disallowed in filetype.rules.conf (a MailScanner default
> setting).  Since the attachment was named 0000.dot, not 0000.dat, it
> should have been disallowed.
> 
> What am I missing here?
> 
> Has anyone else run into the issue of Office 365 documents being
> filtered?
> How are you dealing with it?
> 
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No:
> 307357
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
> 
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!


More information about the MailScanner mailing list