Filename/type rules

Jerry Benton jerry.benton at mailborder.com
Mon Nov 16 14:12:10 UTC 2015 

Are you sure you did not get a zipped HTML file with an iframe that downloaded the .scr ? It is currently a common attack vector. 

-
Jerry Benton
www.mailborder.com



> On Nov 16, 2015, at 8:51 AM, gojensen <mailscanner at gojensen.no> wrote:
> 
> On 16.11.2015 12:38, Antony Stone wrote:
>> On Monday 16 November 2015 at 12:18:30, gojensen wrote:
>>> Quick question... how can I verify that attachements are scanned for
>>> "invalid" files? We keep getting .zip files with .scr executables inside
>>> of them... not good.
>> 
>> Your system should be looking inside the zip files to see what the content is,
>> not just regarding it as "a zip file".
> 
> Then this must not be working... We got a .zip with a .scr inside and it just got through with no tagging or flagging... any idea how I can debug this?
> 
> As far as I can see from the mostly default mailscanner.conf it does treat .zip as archives and it uses the archives.filename.rules.conf which has a deny on .scr files.
> 
> #MailScanner.conf
> Archives Are = zip rar ole
> Filename Rules = %etc-dir%/filename.rules.conf
> Filetype Rules = %etc-dir%/filetype.rules.conf
> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
> Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf
> 
> #both filename.rules.conf and archives.filename.rules.conf has this
> deny    \.scr$          Possible virus hidden in a screensaver
> 
> I did notice Maximum Archive Depth was set to 0 (by default?) - does this totally disable archive scanning?! or just disable the limit on nested archive files?
> 
>> If you specify just a list of (static) filename rules, they go into the file
>> %etc-dir%/filename.rules.conf
>> 
>> If instead you specify a ruleset, then the filename containing that ruleset
>> must end in .rules
>> 
>> This is how MailScanner knows that one is a list of rules, and the other is a
>> ruleset.
>> 
>> Rulesets allow you to do different things based on sender and recipient
>> addresses.  Static rules simply apply the same (filename, in this case) rules
>> to all mail going through the system.
> 
> Thanks for that clarification Antony. We don't use advanced rulesets so that's why I was a bit confused I guess...
> 
> -- 
> // gojensen
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>

More information about the MailScanner mailing list