mailscanner at gojensen.no
Mon Nov 16 14:17:43 UTC 2015
Nope, regular zip with a regular scr inside. Can't really test it
either, because both google-mail and my private mail server refuses to
send the mail :D Just our company service that admits it... :-/
On 16.11.2015 15:12, Jerry Benton wrote:
> Are you sure you did not get a zipped HTML file with an iframe that downloaded the .scr ? It is currently a common attack vector.
> Jerry Benton
>> On Nov 16, 2015, at 8:51 AM, gojensen <mailscanner at gojensen.no> wrote:
>> On 16.11.2015 12:38, Antony Stone wrote:
>>> On Monday 16 November 2015 at 12:18:30, gojensen wrote:
>>>> Quick question... how can I verify that attachements are scanned for
>>>> "invalid" files? We keep getting .zip files with .scr executables inside
>>>> of them... not good.
>>> Your system should be looking inside the zip files to see what the content is,
>>> not just regarding it as "a zip file".
>> Then this must not be working... We got a .zip with a .scr inside and it just got through with no tagging or flagging... any idea how I can debug this?
>> As far as I can see from the mostly default mailscanner.conf it does treat .zip as archives and it uses the archives.filename.rules.conf which has a deny on .scr files.
>> Archives Are = zip rar ole
>> Filename Rules = %etc-dir%/filename.rules.conf
>> Filetype Rules = %etc-dir%/filetype.rules.conf
>> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
>> Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf
>> #both filename.rules.conf and archives.filename.rules.conf has this
>> deny \.scr$ Possible virus hidden in a screensaver
>> I did notice Maximum Archive Depth was set to 0 (by default?) - does this totally disable archive scanning?! or just disable the limit on nested archive files?
>>> If you specify just a list of (static) filename rules, they go into the file
>>> If instead you specify a ruleset, then the filename containing that ruleset
>>> must end in .rules
>>> This is how MailScanner knows that one is a list of rules, and the other is a
>>> Rulesets allow you to do different things based on sender and recipient
>>> addresses. Static rules simply apply the same (filename, in this case) rules
>>> to all mail going through the system.
>> Thanks for that clarification Antony. We don't use advanced rulesets so that's why I was a bit confused I guess...
>> // gojensen
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
More information about the MailScanner