From mailscanner at barendse.to Thu Jul 28 12:14:17 2022 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Thu, 28 Jul 2022 14:14:17 +0200 (CEST) Subject: shtml attachment files ? Message-ID: Hi list I tried blocking \.htm$ and \.html$ in my filename.rules.conf before but found that this effectively blocked nearly each and every email that was coming in so I have to allow that for as long as MailScanner cannot differentiate between an attached .html file or html text in the mail itself Just received another fake/phishing email with an .shtml attachment which includes server side includes google taught me. Would it be OK to block that or will I also lose mail? If, then maybe it's a good addition to the standard MS filename rules? Thanks! From shawniverson at summitgrid.com Thu Jul 28 14:39:49 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 28 Jul 2022 10:39:49 -0400 Subject: shtml attachment files ? In-Reply-To: References: Message-ID: <275988eb-7bca-26f3-be02-06fc51c65a75@summitgrid.com> shtml should be safe to block In the case of .html, you can use some additional regex if the names have a certain unique characteristic. Just not msg-.*.html. That will block legit mail. On 7/28/22 08:14, mailscanner at barendse.to wrote: > Hi list > > I tried blocking \.htm$ and \.html$ in my filename.rules.conf before > but found that this effectively blocked nearly each and every email > that was coming in so I have to allow that for as long as MailScanner > cannot differentiate between an attached .html file or html text in > the mail itself > > Just received another fake/phishing email with an .shtml attachment > which includes server side includes google taught me. > > Would it be OK to block that or will I also lose mail? If, then maybe > it's a good addition to the standard MS filename rules? > > Thanks! > > From mark at msapiro.net Thu Jul 28 15:21:13 2022 From: mark at msapiro.net (Mark Sapiro) Date: Thu, 28 Jul 2022 08:21:13 -0700 Subject: shtml attachment files ? In-Reply-To: References: Message-ID: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> On 7/28/22 05:14, mailscanner at barendse.to wrote: > Hi list > > I tried blocking \.htm$ and \.html$ in my filename.rules.conf before but > found that this effectively blocked nearly each and every email that was > coming in so I have to allow that for as long as MailScanner cannot > differentiate between an attached .html file or html text in the mail > itself This is curious. Most common MUAs tend to be configured to compose multipart/alternative mail with text/plain and text/html alternative parts, but the text/html part does not have a `name` parameter in the Content-Type: header nor does it have a Content-Disposition: header at all. So where is MailScanner getting a *.html filename for these parts? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From shawniverson at summitgrid.com Thu Jul 28 15:42:01 2022 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Thu, 28 Jul 2022 11:42:01 -0400 Subject: shtml attachment files ? In-Reply-To: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> References: <22c2082b-3241-30fc-7502-f41fdeef57e9@msapiro.net> Message-ID: <8ac146ba-2ac0-985c-e174-6e8d66fd129a@summitgrid.com> It is happening during the mime parsing operation when the mime is split into text and html parts. It assigns a name msg-.html to the html mime part. On 7/28/22 11:21, Mark Sapiro wrote: > On 7/28/22 05:14, mailscanner at barendse.to wrote: >> Hi list >> >> I tried blocking \.htm$ and \.html$ in my filename.rules.conf before >> but found that this effectively blocked nearly each and every email >> that was coming in so I have to allow that for as long as MailScanner >> cannot differentiate between an attached .html file or html text in >> the mail itself > > This is curious. Most common MUAs tend to be configured to compose > multipart/alternative mail with text/plain and text/html alternative > parts, but the text/html part does not have a `name` parameter in the > Content-Type: header nor does it have a Content-Disposition: header at > all. So where is MailScanner getting a *.html filename for these parts? > > From mailscanner at barendse.to Fri Jul 29 08:50:56 2022 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Fri, 29 Jul 2022 10:50:56 +0200 (CEST) Subject: shtml attachment files ? In-Reply-To: <275988eb-7bca-26f3-be02-06fc51c65a75@summitgrid.com> References: <275988eb-7bca-26f3-be02-06fc51c65a75@summitgrid.com> Message-ID: <84d03d3-b2f-f38-2191-7e1d4d3f2312@barendse.to> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote: > shtml should be safe to block Thanks!! Have added the below to my filename.rules.conf deny \.shtml$ Possible server side include attack SHTML files can be used with a server side include attack > In the case of .html, you can use some additional regex if the names have a > certain unique characteristic. Just not msg-.*.html. That will block legit > mail. > > On 7/28/22 08:14, mailscanner at barendse.to wrote: >> Hi list >> >> I tried blocking \.htm$ and \.html$ in my filename.rules.conf before but >> found that this effectively blocked nearly each and every email that was >> coming in so I have to allow that for as long as MailScanner cannot >> differentiate between an attached .html file or html text in the mail >> itself >> >> Just received another fake/phishing email with an .shtml attachment which >> includes server side includes google taught me. >> >> Would it be OK to block that or will I also lose mail? If, then maybe it's >> a good addition to the standard MS filename rules? >> >> Thanks! >> >> > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >