<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So this should remain
</span>ClamAV Full Message Scan = yes ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Find UU-Encoded Files is set to “no” though <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Nik<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Steen, Glenn [mailto:Glenn.Steen@ap1.se]
<br>
<b>Sent:</b> 08 April 2013 09:47<br>
<b>To:</b> Nikolaos Pavlidis<br>
<b>Cc:</b> mailscanner@lists.mailscanner.info<br>
<b>Subject:</b> RE: Filetype Checks: No executables on Greek Emails<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">fre 2013-04-05 klockan 14:37 +0000 skrev Nikolaos Pavlidis: <o:p>
</o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hello all,<br>
<br>
<br>
<br>
Many thanks Glenn for the very detailed explanation! I have made the changes and I am holding my breath to see what happens.. after all.. I cannot test it with the email that is in the quarantine.. it is already buggered! Many thanks for all your help.<br>
<br>
<br>
<br>
Final question:<br>
<br>
<br>
<br>
Is disabling that option going to affect the <a href="http://www.inetmsg.com/pub/">
http://www.inetmsg.com/pub/</a> unofficial signature databases I am using with ClamAV?<br>
<br>
<br>
<br>
Thanks again.<br>
<br>
<br>
<br>
Kind regards,<br>
<br>
<br>
<br>
Nik<o:p></o:p></p>
<p class="MsoNormal"><br>
Sorry Nik (and Steve!)... I think I'm turning slightly senile:-)... Steve is right, that option is to dump the entire message *with headers* in there, which is likely harmless to the file command(s)... What I was thinking of, but remembering kind of wrong,
was the <br>
Find UU-Encoded Files = <br>
setting ... If that one is "yes", change it to "no".<br>
<br>
Cheers<br>
-- <br>
-- Glenn<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<b>From:</b> <a href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</a> [<a href="mailto:mailscanner-bounces@lists.mailscanner.info">mailto:mailscanner-bounces@lists.mailscanner.info</a>]
<b>On Behalf Of </b>Glenn Steen<br>
<b>Sent:</b> 05 April 2013 10:11<br>
<b>To:</b> MailScanner discussion<br>
<b>Subject:</b> Re: Filetype Checks: No executables on Greek Emails<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">BTW, when stripping down the body, you may need "de-MIME" a bit as well, to get the actual thing that file sees... Can be a bit tricky:-).<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">IIRC there is a common greek greeting phrase that will start with a character that is guaranteed to be interpreted as a DOS executable... so you might not need go through the trouble of the copy/edit thing,
just put that greeting in a (text) file and run file/file -i on that... or just cut'n'paste from your MUA, or similar.<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">I mentioned russion and greek specifically, but this has been reported for other non-english languages as well (french and some south east asian language, at least... for french the culprit was an É or Ë or
similar).<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Cheers!<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">-- <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">-- Glenn<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">On 5 April 2013 10:54, Glenn Steen <<a href="mailto:glenn.steen@gmail.com">glenn.steen@gmail.com</a>> wrote:<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">I'm guessing that you have<br>
<br>
ClamAV Full Message Scan = yes<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">set in MailScanner.conf ... This will make MailScanner "unpack" the body of the email as a file in the directory presented to ClamAV for scanning (other AVs don't seem to need this "help"). The goal is to catch
malware that isn't "properly" encoded, but rather just dumped in the message body.<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">For non-english locales, especially greek and russian locales, this can be ... less than fortunate, since the "body file" will be present when the file command is run on the directory, and the file command has
some very naive one byte magic detection "strings" that will interprete common greek (or russion KOI-8) characters as being the start of an MS-DOS executable (COM-files et al).<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">When the message is quarantined, the "whole message file" (including headers) is stored in the quarantine (not the file containing just the body), so a simplistic "file message" command will not show the root
cause. You need make a copy of that file and manually remove all the headers (and the blank line separating the headers from the body), then run file (and file -i) command on that to see the gory details:).<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Provided one has the file -i column in filetypes.rules.conf (it is an optional fifth column, meaning that you likely don't have it and need add it yourself... The columns are <TAB> -separated!), you can use
the file -i commands "findings" in that column, for the line that triggers the blocking.... Having lines with file -i "syntax" will make the file -i take precedence ... I think, at least.<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">The common practice of changing the "File Command = " setting to the file -i command is perhaps less work, but it is also less secure, since the string matching on the result may be even less reliable than usual.
Then again, file type checking is more of an art than a science:-):-).<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">As I'm sure you've noticed, this isn't a new problem, it has been with MailScanner for quite a few years (if not since the very begining). The methods for fixing the problem has varied over the years (editing
the magic file, reporting it to the file command maintainers as a bug, using file -i straight up etc), but the interface Jules has provided is actually the very best imaginable, so do explore that... In a stock filetype.rules.conf file there is even an example
for the DOS executables that file -i might find (hopefully a bit more securely than the plain file command... Though the commands are actually one and the same, the -i uses a different magic file, not just different descriptive strings).<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Changing the ClamAV setting shown above to "no" will make this problem a lot less common (read: go away completely:-), as well, so that might be another very viable option... If you use more than one AV, you
don't lose that much security by doing so.<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Cheers!<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">-- <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">-- Glenn<br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">Den 22 mar 2013 16:40 skrev "Nikolaos Pavlidis" <<a href="mailto:Nikolaos.Pavlidis@beds.ac.uk">Nikolaos.Pavlidis@beds.ac.uk</a>>:<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
Hello all,<br>
<br>
I'm having an issue with Mailscanner which weirdly enough has been already discussed here<br>
<a href="http://markmail.org/message/56fofuvh4tzde7hz#query:+page:1+mid:mu77m5qs6zjhh2jx+state:results">http://markmail.org/message/56fofuvh4tzde7hz#query:+page:1+mid:mu77m5qs6zjhh2jx+state:results</a><br>
<br>
The problem is:<br>
<br>
Mar 22 15:00:18 smtp1 MailScanner[17935]: Filetype Checks: No executables (r2JAPluH011324 )<br>
Mar 22 15:00:46 smtp1 MailScanner[17935]: Saved entire message to /var/spool/MailScanner/quarantine/20130322/r2JAPluH011324<br>
<br>
And:<br>
<br>
[root@smtp1 r2JAPluH011324]# pwd<br>
/var/spool/MailScanner/quarantine/20130322/r2JAPluH011324<br>
[root@smtp1 r2JAPluH011324]# ll<br>
total 28K<br>
-rw------- 1 root root 22K Mar 22 15:00 dfr2JAPluH011324<br>
-rw------- 1 root root 3.7K Mar 22 15:00 qfr2JAPluH011324<br>
[root@smtp1 r2JAPluH011324]# file -i *<br>
dfr2JAPluH011324: text/plain; charset=us-ascii<br>
qfr2JAPluH011324: text/plain; charset=unknown<br>
<br>
But I have also added the lines suggested in the previous thread so my filetype.rules.conf looks like:<br>
<br>
<snip><br>
allow text - -<br>
allow - text/plain - -<br>
allow - text/x-mail - -<br>
allow - message/rfc822 - -<br>
allow \bscript - -<br>
allow archive - -<br>
allow postscript - -<br>
deny self-extract No self-extracting archives No self-extracting archives allowed<br>
deny executable No executables No programs allowed<br>
<snip><br>
<br>
I have restarted mailscanner before re-queuing the message but always the same result...<br>
<br>
Any ideas/recommendations would be much appreciated,<br>
<br>
Kind regards,<br>
<br>
Nik<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<o:p></o:p></p>
</blockquote>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"> <br>
<br>
<o:p></o:p></p>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">-- <br>
-- Glenn<br>
email: glenn < dot > steen < at > gmail < dot > com<br>
work: glenn < dot > steen < at > ap1 < dot > se <br>
<br>
<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>