Hy Jules,<br><br>I have changed the rules in filetype.rules.conf to:<br>deny - x-dosexec No DOS executables No DOS programs allowed<br><br>But a simple mail with png attachment is considered DOS program:<br>
<br>Reporte: MailScanner: No DOS programs allowed (powerphplist.png)<br><br>When i run file command in the blocked attachment the result is:<br>mail01 1ADE250F95.6ACCF # file -i powerphplist.png <br>powerphplist.png: image/png<br>
<br>mail01 1ADE250F95.6ACCF # file powerphplist.png <br>powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced<br><br><br>I try to write a new rule:<br>allow - text/plain - permited permited<br>
<br>But the mail has blocked again. <br><br>What is magical to work?<br><br><div class="gmail_quote">On Fri, Apr 4, 2008 at 11:39 AM, Julian Field <<a href="mailto:MailScanner@ecs.soton.ac.uk">MailScanner@ecs.soton.ac.uk</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<div><div></div><div class="Wj3C7c"><br>
<br>
<br>
Mike Kercher wrote:<br>
>> -----Original Message-----<br>
>> From: <a href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</a><br>
>> [mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</a>] On Behalf Of<br>
>> Julian Field<br>
>> Sent: Thursday, April 03, 2008 3:21 PM<br>
>> To: MailScanner discussion<br>
>> Subject: Re: File Type Check Problem<br>
>><br>
>><br>
>><br>
>> Mike Kercher wrote:<br>
>><br>
>><br>
>>> I've been searching and haven't found a resolution for this yet.<br>
>>><br>
>>> Periodically, we get emails with attachments coming through that are<br>
>>> not being detected properly. MailScanner reports:<br>
>>><br>
>>> MailScanner: No programs allowed (msg-10410-101.txt)<br>
>>><br>
>>><br>
>>><br>
>> This is being caught by the filetype trap.<br>
>><br>
>><br>
>>> If I go look at the quarantined email in MailWatch and download the<br>
>>> attachment, it is a PDF.<br>
>>><br>
>>><br>
>> That may be what the filename says, but what does the "file" command<br>
>> report?<br>
>><br>
>><br>
>>> There was talk of the file -i command switch.<br>
>>> Is this something that needs to be set in MailScanner.conf?<br>
>>><br>
>>><br>
>>><br>
>> No, just read the latest filetype.rules.conf and filename.rules.conf<br>
>> files, the comments at the top of each file tell you how to use it.<br>
>> There is also an example line in filetype.rules.conf for you to copy.<br>
>><br>
>><br>
>><br>
>>> TIA<br>
>>><br>
>>> Mike<br>
>>><br>
>>><br>
>>><br>
>> Jules<br>
>><br>
>> --<br>
>><br>
>> Jules,<br>
>><br>
>> Running file against the message yields the following:<br>
>><br>
>> [root@HOUPMS02 m334jSTE009852]# file message<br>
>> message: smtp mail text<br>
>> [root@HOUPMS02 m334jSTE009852]# file -i message<br>
>> message: message/rfc822\011<br>
>><br>
>> Not quite sure what changing the filetype.rules.conf would do for me<br>
>> here.<br>
>><br>
>><br>
> No! I meat you to run the "file" command on the attachment, not the<br>
> message! :-( Funnily enough, when you run it on the message it says it's<br>
> a message :-)<br>
><br>
> Jules<br>
><br>
> --------<br>
><br>
> Sorry about that :) Here's the output of file run against the<br>
> attachment itself:<br>
><br>
> [root@HOUPMS01 ~]# file OSC81.pdf<br>
> OSC81.pdf: PDF document, version 1.3<br>
><br>
> [root@HOUPMS01 ~]# file -i OSC81.pdf<br>
> OSC81.pdf: application/pdf<br>
><br>
</div></div>Have just checked your original report, and it wasn't the attachment it<br>
blocked, it was the main message body (hence the "txt" extension with<br>
the unusual filename). Harder to stop that unless you switch from using<br>
the "executable" trap in filetype.rules.conf to a replacement trap using<br>
the MIME type reported by file -i instead (see comments at the start of<br>
filetype.rules.conf).<br>
> Mike<br>
<div class="Ih2E3d">><br>
><br>
<br>
Jules<br>
<br>
- --<br>
Julian Field MEng CITP CEng<br>
<a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>
Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
<br>
</div>Need help customising MailScanner?<br>
Contact me!<br>
Need help fixing or optimising your systems?<br>
Contact me!<br>
Need help getting you started solving new requirements from your boss?<br>
Contact me!<br>
<div class="Ih2E3d"><br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
<br>
</div>-----BEGIN PGP SIGNATURE-----<br>
Version: PGP Desktop 9.8.2 (Build 3005)<br>
Comment: (pgp-secured)<br>
Charset: ISO-8859-1<br>
<br>
wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS<br>
bHrfC2GyNSDz4ZOdqsl9zSw=<br>
=knIJ<br>
-----END PGP SIGNATURE-----<br>
<div class="Ih2E3d"><br>
--<br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
--<br>
</div><div><div></div><div class="Wj3C7c">MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
</div></div></blockquote></div><br>