Filename/type rules
Heino Backhaus
heino.backhaus at fink-computer.de
Mon Nov 16 14:19:11 UTC 2015
please double check that the zip is realy a zip and not something else.
<filename>.arj just renamed to <filename>.zip for example. In this case
mailscanner will not look inside the archive cause it's an arj.
7zip will extract it anyway...
Mit freundlichen Gruessen
H. Backhaus
Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink
"In retrospect it becomes clear that hindsight is definitely overrated!"
-Alfred E. Neumann
Am 16.11.2015 um 14:51 schrieb gojensen:
> On 16.11.2015 12:38, Antony Stone wrote:
>> On Monday 16 November 2015 at 12:18:30, gojensen wrote:
>>> Quick question... how can I verify that attachements are scanned for
>>> "invalid" files? We keep getting .zip files with .scr executables inside
>>> of them... not good.
>>
>> Your system should be looking inside the zip files to see what the
>> content is,
>> not just regarding it as "a zip file".
>
> Then this must not be working... We got a .zip with a .scr inside and it
> just got through with no tagging or flagging... any idea how I can debug
> this?
>
> As far as I can see from the mostly default mailscanner.conf it does
> treat .zip as archives and it uses the archives.filename.rules.conf
> which has a deny on .scr files.
>
> #MailScanner.conf
> Archives Are = zip rar ole
> Filename Rules = %etc-dir%/filename.rules.conf
> Filetype Rules = %etc-dir%/filetype.rules.conf
> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
> Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf
>
> #both filename.rules.conf and archives.filename.rules.conf has this
> deny \.scr$ Possible virus hidden in a screensaver
>
> I did notice Maximum Archive Depth was set to 0 (by default?) - does
> this totally disable archive scanning?! or just disable the limit on
> nested archive files?
>
>> If you specify just a list of (static) filename rules, they go into
>> the file
>> %etc-dir%/filename.rules.conf
>>
>> If instead you specify a ruleset, then the filename containing that
>> ruleset
>> must end in .rules
>>
>> This is how MailScanner knows that one is a list of rules, and the
>> other is a
>> ruleset.
>>
>> Rulesets allow you to do different things based on sender and recipient
>> addresses. Static rules simply apply the same (filename, in this
>> case) rules
>> to all mail going through the system.
>
> Thanks for that clarification Antony. We don't use advanced rulesets so
> that's why I was a bit confused I guess...
>
More information about the MailScanner
mailing list