<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Courier New";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D">Just a swag, but you’ve stopped the Postfix daemon and took it out of the startup config, right? I use sendmail, not Postfix (yet), but sometimes an upgrade would put sendmail back
into the startup routines, and I’d have mail coming in via sendmail that bypasses MailScanner.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D">It may not be the case here, but easy enough to double-check…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">...Kevin<br>
--<br>
Kevin Miller<br>
Network/email Administrator, CBJ MIS Dept.<br>
155 South Seward Street<br>
Juneau, Alaska 99801<br>
Phone: (907) 586-0242, Fax: (907) 586-4500<br>
Registered Linux User No: 307357</span><span style="color:#1F497D"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]
<b>On Behalf Of </b>James Nelson<br>
<b>Sent:</b> Friday, February 13, 2015 12:54 PM<br>
<b>To:</b> MailScanner discussion<br>
<b>Subject:</b> RE: Filename Restrictions Not working<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Additional details: Running on CentOS 6.6, MTA is Postfix. I’ve covered all of the settings in MailScanner.conf that seem to be pertinent—scanning is enabled, proper location for /usr/bin/file, which I can
run against the files being allowed through, to the expected result. If I run a MailScanner –lint , I don’t see any mention made of the attachment rules being read, but that may be by design.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">filename.rules.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># NOTE: Fields are separated by TAB characters --- Important!<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Syntax is allow/deny/deny+delete/rename/rename to replacement-text/email-addresses,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># then regular expression,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># then log text,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># then user report text.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># The "email-addresses" can be a space or comma-separated list of email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># addresses. If the rule hits, the message will be sent to these address(es)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># instead of the original recipients.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># If a rule is a "rename" rule, then the attachment filename will be renamed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># according to the "Default Rename Pattern" setting in MailScanner.conf.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># If a rule is a "rename" rule and the "to replacement-text" is supplied, then<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># the text matched by the regular expression in the 2nd field of the line<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># will be replaced with the "replacement-text" string.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># For example, the rule<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># rename to .ppt \.pps$ Renamed .pps to .ppt Renamed .pps to .ppt<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># will find all filenames ending in ".pps" and rename them so they end in<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># ".ppt" instead.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Due to a bug in Outlook Express, you can make the 2nd from last extension<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># be what is used to run the file. So very long filenames must be denied,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># regardless of the final extension.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft
e-mail packages<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># JKF 10/08/2007 Adobe Acrobat nastiness<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">rename \.fdf$ Dangerous Adobe Acrobat data-file Opening this file can cause auto-loading of any file from the internet<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># JKF 04/01/2005 More Microsoft security vulnerabilities<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These 4 are well known viruses.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny happy99\.exe$ "Happy" virus "Happy" virus<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># JKF 08/07/2005 Several virus scanners may miss this one<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These are in the archives which are Microsoft Office 2007 files (e.g. docx)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.xml\d*\.rel$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.x\d+\.rel$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.rtf$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These are known to be mostly harmless.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.jpg$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.gif$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># .url is arguably dangerous, but I can't just ban it...<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.url$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.vcf$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.txt$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.zip$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.t?gz$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.bz2$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.Z$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.rpm$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># PGP and GPG<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.gpg$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.pgp$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.sig$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.asc$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Macintosh archives<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.hqx$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.sit.bin$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.sea$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Backup files<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.bak$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># And TeX and LaTeX are harmless AFAIK<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.tex$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These are known to be dangerous in almost all cases.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># See
<a href="http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm">http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm</a> for more info.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Removed ".mat" from next line as widely used by Matlab<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ma[dfgmqrsvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These are new dangerous attachment types according to Microsoft in<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#
<a href="http://support.microsoft.com/?kbid=883260">http://support.microsoft.com/?kbid=883260</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These 2 added by popular demand - Very often used by viruses<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># These are very dangerous and have been used to hide viruses<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.bat$ Possible malicious batch file script Batch files are often malicious<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.cmd$ Possible malicious batch file script Batch files are often malicious<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Deny filenames containing CLSID's<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Deny filenames with lots of contiguous white space in them.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Allow repeated file extension, e.g. blah.zip.zip<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow (\.[a-z0-9]{3})\1$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Allow days of the week and months in doc names, e.g. blah.wed.doc<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Deny all other double file extensions. This catches any hidden filenames.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">filetype.rules.conf:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># NOTE: Fields are separated by TAB characters --- Important!<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># Syntax is allow/deny/deny+delete/email-addresses, then regular expression,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># then log text, then user report text.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># The "email-addresses" can be a space or comma-separated list of email<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># addresses. If the rule hits, the message will be sent to these address(es)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># instead of the original recipients.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># If none of the rules match, then the filetype is allowed.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># An optional fifth field can also be added before the "log text", which<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># makes the checked text check against the MIME type of the attachment<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"># as determined by the output of the "file -i" command.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow text - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow \bscript - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow archive - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">allow postscript - -<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny self-extract No self-extracting archives No self-extracting archives allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny executable No executables No programs allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#EXAMPLE: deny - x-dosexec No DOS executables No DOS programs alloweddeny ELF No executables No programs allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">deny Registry No Windows Registry entries No Windows Registry files allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny MPEG No MPEG movies No MPEG movies allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny AVI No AVI movies No AVI movies allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny MNG No MNG/PNG movies No MNG movies allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny QuickTime No QuickTime movies No QuickTime movies allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny ASF No Windows media No Windows media files allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Consolas">#deny metafont No Windows Metafont drawings No WMF drawings allowed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a href="mailto:mailscanner-bounces@lists.mailscanner.info">
mailscanner-bounces@lists.mailscanner.info</a> [<a href="mailto:mailscanner-bounces@lists.mailscanner.info">mailto:mailscanner-bounces@lists.mailscanner.info</a>]
<b>On Behalf Of </b>James Nelson<br>
<b>Sent:</b> Friday, February 13, 2015 2:35 PM<br>
<b>To:</b> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<b>Subject:</b> Filename Restrictions Not working<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am having an issue where none of my filetype rules seem to be working. I can send a test message with something as clearly dangerous as a .bat or .scr file, and MailScanner allows it through regardless. My filetype.rules.conf and filename.rules.conf
(and their archive counterparts) are in their default state, and my Mail.conf points to the rules files in %rules-dir% appropriate for each section. The rules files are tabbed properly, with a simple:<o:p></o:p></p>
<p class="MsoNormal">FromOrTo: default /etc/MailScanner/filename.rules.conf<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">No matter what I’ve tried, MailScanner still allows everything through, even if I explicitly deny a file type in Mail.conf (without using a ruleset).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any suggestions?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>