Filename/type rules

gojensen mailscanner at gojensen.no
Mon Nov 16 14:17:43 UTC 2015 

Nope, regular zip with a regular scr inside. Can't really test it 
either, because both google-mail and my private mail server refuses to 
send the mail :D Just our company service that admits it... :-/

-- 
// gojensen


On 16.11.2015 15:12, Jerry Benton wrote:
> Are you sure you did not get a zipped HTML file with an iframe that downloaded the .scr ? It is currently a common attack vector.
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On Nov 16, 2015, at 8:51 AM, gojensen <mailscanner at gojensen.no> wrote:
>>
>> On 16.11.2015 12:38, Antony Stone wrote:
>>> On Monday 16 November 2015 at 12:18:30, gojensen wrote:
>>>> Quick question... how can I verify that attachements are scanned for
>>>> "invalid" files? We keep getting .zip files with .scr executables inside
>>>> of them... not good.
>>>
>>> Your system should be looking inside the zip files to see what the content is,
>>> not just regarding it as "a zip file".
>>
>> Then this must not be working... We got a .zip with a .scr inside and it just got through with no tagging or flagging... any idea how I can debug this?
>>
>> As far as I can see from the mostly default mailscanner.conf it does treat .zip as archives and it uses the archives.filename.rules.conf which has a deny on .scr files.
>>
>> #MailScanner.conf
>> Archives Are = zip rar ole
>> Filename Rules = %etc-dir%/filename.rules.conf
>> Filetype Rules = %etc-dir%/filetype.rules.conf
>> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
>> Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf
>>
>> #both filename.rules.conf and archives.filename.rules.conf has this
>> deny    \.scr$          Possible virus hidden in a screensaver
>>
>> I did notice Maximum Archive Depth was set to 0 (by default?) - does this totally disable archive scanning?! or just disable the limit on nested archive files?
>>
>>> If you specify just a list of (static) filename rules, they go into the file
>>> %etc-dir%/filename.rules.conf
>>>
>>> If instead you specify a ruleset, then the filename containing that ruleset
>>> must end in .rules
>>>
>>> This is how MailScanner knows that one is a list of rules, and the other is a
>>> ruleset.
>>>
>>> Rulesets allow you to do different things based on sender and recipient
>>> addresses.  Static rules simply apply the same (filename, in this case) rules
>>> to all mail going through the system.
>>
>> Thanks for that clarification Antony. We don't use advanced rulesets so that's why I was a bit confused I guess...
>>
>> --
>> // gojensen
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>
>

More information about the MailScanner mailing list