File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

Paul Scott sales at edenusa.com
Tue Feb 7 21:16:53 UTC 2017


Hello Mark,

Just so that you (and others) know, I have fixed this issue, but not in a way that you may suspect.  To make things very clear, here is what I found:

1. I already had the number of attachments allowed set to allow as many as a client wishes (the -1 setting).

2. I already had virus scanning turned OFF, as in the following.
# If you want to be able to switch scanning on/off for different users or
# different domains, set this to the filename of a ruleset.
# This can also be the filename of a ruleset.
Virus Scanning = no

These settings are the two obvious areas as reported by the returned message, which I have shared with everybody.

So, I setup the file attachments area to the following, and it worked (i.e., now clients can send and receive attachments again):

Allow any attachment filenames matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Allow Filenames = \.txt$ \.pdf$ \.doc$

# Deny any attachment filenames matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Deny Filenames =

#       
# Set where to find the attachment filename ruleset.
# The structure of this file is explained elsewhere, but it is used to
# accept or reject file attachments based on their name, regardless of
# whether they are infected or not.
# 
# This can also point to a ruleset, but the ruleset filename must end in
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
#Filename Rules = %etc-dir%/filename.rules
Filename Rules =

# To simplify web-based configuration systems, there are now two extra
# settings here. They are both intended for use with normal rulesets
# that you would expect to find in %rules-dir%. The first gives a list
# of patterns to match against the attachment filetypes, and a filetype
# is allowed if it matches any of these patterns. The second gives the
# the equivalent list for patterns that are used to deny filetypes.
# If either of these match at all, then filetype.rules.conf is ignored
# for that filetype.
# So you can easily have a set like this:
# Allow Filetypes = script postscript
# Deny  Filetypes = executable MPEG
# Allow MIME Filetypes = text/plain text/html
# Deny  MIME Filetypes = dosexec
# which is a lot simpler than having to handle filetype.rules.conf!
# It is far simpler when you want to change the allowed+denied list for  
# different domains/addresses, as you can use the filetype of a simple
# ruleset here instead.

# Allow any attachment filetypes matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Allow Filetypes =

# Allow any attachment MIME types matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Allow File MIME Types =

# Deny any attachment filetypes matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Deny Filetypes =

# Deny any attachment MIME types matching any of the patterns listed here.
# If this setting is empty, it is ignored and no matches are made.
# This can also be the filename of a ruleset.
Deny File MIME Types =

# Set where to find the attachment filetype ruleset.
# The structure of this file is explained elsewhere, but it is used to   
# accept or reject file attachments based on their content as determined  
# by the "file" command, regardless of whether they are infected or not.
# 
# This can also point to a ruleset, but the ruleset filename must end in 
# ".rules" so that MailScanner can determine if the filename given is
# a ruleset or not!
# 
# To disable this feature, set this to just "Filetype Rules =" or set
# the location of the file command to a blank string.
#Filetype Rules = %etc-dir%/filetype.rules
Filetype Rules =


Basically, turning everything off.  However, I did find another issue, and that is that the standard way we use to restart MailScanner has changed.  I tried this:

[root at mail MailScanner]#service mailscanner restart

Which appeared to restart the MailScanner correctly, but processing no longer worked.  I had to reboot the machine, which caused a major issue, and had to drive 100+ miles to the server room to manually start it up again.

What is the recommended way of getting MailScanner properly restarted, after making configuration file changes?

Thank you again very much for your help!


Sincerely,

Paul Scott, Engineer
Eden USA, Incorporated
Event Production Services Since 1995
Los Angeles-Las Vegas-New York
sales at edenusa.com OR edenusasales at gmail.com
Telephone(s): 866.501.3336 OR 951.505.6967
Fax: 866.502.3336 

WEBSITE: https://www.edenusa.com
FACEBOOK: http://www.facebook.com/edenusainc



-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+sales=edenusa.com at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Monday, February 06, 2017 1:06 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: File(name|type) rules - was hijacked: "Allow Script Tags" affects attachments?

On 02/06/2017 12:20 PM, Paul Scott wrote:
> Hello Mark, and thank you so much for your quick reply!
> 
...
> As you'll see in the return message above, it is confusing, because there are two different issues being reported.  
> 
> One of the issues is as follows:
> 
> The original e-mail attachment "the entire message"
> was believed to be dangerous and/or infected by a virus and has been 
> replaced by this warning message.
> 
> 
> The OTHER issue is as follows:
> 
> At Mon Jan  9 14:51:21 2017 the scanner said:
>    Too many attachments in message
> 
> 
> So, which is the true issue, and how to get this fixed, is the question.  Thank you very much!


Normally they would both be correct. MailScanner reporting that the configured virus scanner reported a problem and the virus scanner reporting the problem as "Too many attachments in message"

There is a thread on this (involving you and me) in the archives starting at <http://lists.mailscanner.info/pipermail/mailscanner/2016-November/103999.html>.
Much of it is noise, but my reply at
<http://lists.mailscanner.info/pipermail/mailscanner/2016-November/104024.html>
indicates that this situation is triggered by MailScanner's Maximum Attachments Per Message setting being exceeded.

I haven't looked at this further since last November, but if that doesn't seem to be the issue, let me know and I'll check further.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner



More information about the MailScanner mailing list