<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Verdana">Hi guys,<br>
<br>
I've got an issue with a filename that I just can't seem to
allow.<br>
<br>
<br>
Sep 6 14:30:29 mx2 MailScanner[32333]: New Batch: Scanning 1
messages, 9242687 bytes<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Filename Checks: Found
possible filename hiding (D9BAA619D4.A4F69 report.php.mod)<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Filename Checks:
Possible Microsoft JScript attack (D9BAA619D4.A4F69 md5.js)<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Filename Checks: Found
possible filename hiding (D9BAA619D4.A4F69 finance.inc.php)<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Filename Checks: Found
possible filename hiding (D9BAA619D4.A4F69 library.inc.php)<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Filename Checks: Found
possible filename hiding (D9BAA619D4.A4F69 template.inc.php)<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Filename Checks: Found
possible filename hiding (D9BAA619D4.A4F69 config.inc.php)<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Other Checks: Found 6
problems<br>
Sep 6 14:30:32 mx2 MailScanner[32333]: Virus and Content
Scanning: Starting<br>
Sep 6 14:30:39 mx2 MailScanner[32333]: Saved entire message to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected "md5.js"
to /var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected
"finance.inc.php" to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected
"template.inc.php" to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected
"law-database-2010-09-03.zip" to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected
"library.inc.php" to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected
"report.php.mod" to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
Sep 6 14:30:42 mx2 MailScanner[32333]: Saved infected
"config.inc.php" to
/var/spool/MailScanner/quarantine/20100906/D9BAA619D4.A4F69<br>
<br>
The file is a zipped backup that automatically gets emailed to
the recipient.<br>
<br>
Using MS version 4.79.11<br>
I'm not using filetype checks and below are my config options
that I've tried in order to allow the files.<br>
<br>
In my MailScanner.conf<br>
<br>
Allow Filenames = \.js$<br>
Deny Filenames =<br>
<br>
Filename Rules = %rules-dir%/filename.rules<br>
<br>
Then in filename.rules<br>
<br>
# Allow postmaster to release stuff from quarantine<br>
FromOrTo: <a class="moz-txt-link-abbreviated"
href="mailto:postmaster@domainhidden.co.za">postmaster@domainhidden.co.za</a>
/etc/MailScanner/filename.allow.all.conf<br>
# Default Rule<br>
FromOrTo: default /etc/MailScanner/filename.rules.conf<br>
<br>
<br>
Then in filename.allow.all.conf these are all tabs.<br>
allow . - -<br>
<br>
<br>
</font></font><font size="-1"><font face="Verdana">Then in
/etc/MailScanner/filename.rules.conf<br>
<br>
allow \.js$ - -<br>
# Deny filenames containing CLSID's<br>
allow \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real
type Files containing CLSID's are
trying to hide their real type<br>
# Allow repeated file extension, e.g. blah.zip.zip <br>
allow (\.[a-z0-9]{3})\1$ - -<br>
# Deny all other double file extensions. This catches any hidden
filenames.<br>
allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible
filename hiding Attempt to hide real
filename extension<br>
<br>
<br>
No matter what, .js files are blocked as well as double
extensions, and I've double checked that all whitespaces are
tabs, although they won't show here.<br>
<br>
If anyone has any ideas I'd be mist grateful for any assistance.<br>
<br>
Thank you.<br>
<br>
Regards.<br>
<br>
Neil.</font></font>
<div class="moz-signature">
<table border="0">
<tbody>
<tr>
<td width="75"><br>
</td>
<td><br>
</td>
</tr>
<tr>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr>
<td><br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</div>
</body>
<br />--
<br />This email and all contents are subject to the following disclaimer:
<br />http://www.dcdata.co.za/emaildisclaimer.html<br />
<!-- <a href=http://www.vox.co.za/dcdata><img src=advert.jpg border=0></a> -->
</html>