Hy Jules,<br><br>I have applied this patch in 2 servers, and the problem is solved,<br><br>Thanks...<br><br><div class="gmail_quote">On Mon, Apr 7, 2008 at 11:46 AM, Julian Field <<a href="mailto:MailScanner@ecs.soton.ac.uk">MailScanner@ecs.soton.ac.uk</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Attached is a zip of a new SweepOther.pm (goes in /usr/lib/MailScanner/MailScanner) that will solve the problem for you. This will be in the next release.<br>
Sorry!<br>
<br>
Jules.<br>
<br>
Thiago Henrique wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="Ih2E3d">
Hy Jules,<br>
<br>
I have changed the rules in filetype.rules.conf to:<br>
deny - x-dosexec No DOS executables No DOS programs allowed<br>
<br>
But a simple mail with png attachment is considered DOS program:<br>
<br>
Reporte: MailScanner: No DOS programs allowed (powerphplist.png)<br>
<br>
When i run file command in the blocked attachment the result is:<br>
mail01 1ADE250F95.6ACCF # file -i powerphplist.png<br>
powerphplist.png: image/png<br>
<br>
mail01 1ADE250F95.6ACCF # file powerphplist.png<br>
powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced<br>
<br>
<br>
I try to write a new rule:<br>
allow - text/plain - permited permited<br>
<br>
But the mail has blocked again.<br>
<br>
What is magical to work?<br>
<br></div><div><div></div><div class="Wj3C7c">
On Fri, Apr 4, 2008 at 11:39 AM, Julian Field <<a href="mailto:MailScanner@ecs.soton.ac.uk" target="_blank">MailScanner@ecs.soton.ac.uk</a> <mailto:<a href="mailto:MailScanner@ecs.soton.ac.uk" target="_blank">MailScanner@ecs.soton.ac.uk</a>>> wrote:<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
<br>
Mike Kercher wrote:<br>
>> -----Original Message-----<br>
>> From: <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a><br>
<mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>><br>
>> [mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a><br>
<mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>>] On Behalf Of<br>
>> Julian Field<br>
>> Sent: Thursday, April 03, 2008 3:21 PM<br>
>> To: MailScanner discussion<br>
>> Subject: Re: File Type Check Problem<br>
>><br>
>><br>
>><br>
>> Mike Kercher wrote:<br>
>><br>
>><br>
>>> I've been searching and haven't found a resolution for this yet.<br>
>>><br>
>>> Periodically, we get emails with attachments coming through<br>
that are<br>
>>> not being detected properly. MailScanner reports:<br>
>>><br>
>>> MailScanner: No programs allowed (msg-10410-101.txt)<br>
>>><br>
>>><br>
>>><br>
>> This is being caught by the filetype trap.<br>
>><br>
>><br>
>>> If I go look at the quarantined email in MailWatch and<br>
download the<br>
>>> attachment, it is a PDF.<br>
>>><br>
>>><br>
>> That may be what the filename says, but what does the "file"<br>
command<br>
>> report?<br>
>><br>
>><br>
>>> There was talk of the file -i command switch.<br>
>>> Is this something that needs to be set in MailScanner.conf?<br>
>>><br>
>>><br>
>>><br>
>> No, just read the latest filetype.rules.conf and<br>
filename.rules.conf<br>
>> files, the comments at the top of each file tell you how to use it.<br>
>> There is also an example line in filetype.rules.conf for you to<br>
copy.<br>
>><br>
>><br>
>><br>
>>> TIA<br>
>>><br>
>>> Mike<br>
>>><br>
>>><br>
>>><br>
>> Jules<br>
>><br>
>> --<br>
>><br>
>> Jules,<br>
>><br>
>> Running file against the message yields the following:<br>
>><br>
>> [root@HOUPMS02 m334jSTE009852]# file message<br>
>> message: smtp mail text<br>
>> [root@HOUPMS02 m334jSTE009852]# file -i message<br>
>> message: message/rfc822\011<br>
>><br>
>> Not quite sure what changing the filetype.rules.conf would do<br>
for me<br>
>> here.<br>
>><br>
>><br>
> No! I meat you to run the "file" command on the attachment, not the<br>
> message! :-( Funnily enough, when you run it on the message it<br>
says it's<br>
> a message :-)<br>
><br>
> Jules<br>
><br>
> --------<br>
><br>
> Sorry about that :) Here's the output of file run against the<br>
> attachment itself:<br>
><br>
> [root@HOUPMS01 ~]# file OSC81.pdf<br>
> OSC81.pdf: PDF document, version 1.3<br>
><br>
> [root@HOUPMS01 ~]# file -i OSC81.pdf<br>
> OSC81.pdf: application/pdf<br>
><br>
Have just checked your original report, and it wasn't the<br>
attachment it<br>
blocked, it was the main message body (hence the "txt" extension with<br>
the unusual filename). Harder to stop that unless you switch from<br>
using<br>
the "executable" trap in filetype.rules.conf to a replacement trap<br>
using<br>
the MIME type reported by file -i instead (see comments at the<br>
start of<br>
filetype.rules.conf).<br>
> Mike<br>
><br>
><br>
<br>
Jules<br>
<br>
- --<br>
Julian Field MEng CITP CEng<br></div></div>
<a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a> <<a href="http://www.MailScanner.info" target="_blank">http://www.MailScanner.info</a>><div class="Ih2E3d"><br>
Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br></div>
<<a href="http://www.MailScanner.info/store" target="_blank">http://www.MailScanner.info/store</a>><div class="Ih2E3d"><br>
<br>
Need help customising MailScanner?<br>
Contact me!<br>
Need help fixing or optimising your systems?<br>
Contact me!<br>
Need help getting you started solving new requirements from your boss?<br>
Contact me!<br>
<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: PGP Desktop 9.8.2 (Build 3005)<br>
Comment: (pgp-secured)<br>
Charset: ISO-8859-1<br>
<br>
wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS<br>
bHrfC2GyNSDz4ZOdqsl9zSw=<br>
=knIJ<br>
-----END PGP SIGNATURE-----<br>
<br>
--<br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br></div>
<mailto:<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a>><div class="Ih2E3d"><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br>
<br>
</div></blockquote><div class="Ih2E3d">
<br>
Jules<br>
<br>
-- <br>
Julian Field MEng CITP CEng<br>
<a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>
Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
<br>
Need help customising MailScanner?<br>
Contact me!<br>
Need help fixing or optimising your systems?<br>
Contact me!<br>
Need help getting you started solving new requirements from your boss?<br>
Contact me!<br>
<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
<br>
-- <br></div><div><div></div><div class="Wj3C7c">
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
</div></div><br>--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br></blockquote></div><br>