MailScanner

Popular Threads From MailScanner:

Docx problems

MailScanner ANNOUNCE: Dropoff

FileType rules show executable even though file shows data -- Please help fix.

New beta release 4.81.2

Spam from same email ID.

List Statistics

Total Threads: 847
Total Posts: 1912

Phrases Used to Find This Thread

Page 1 of 1

16-07-2012 05:32 PM

MailScanner member admin is online now

User

16-07-2012 06:12 PM

MailScanner member admin is online now

User

16-07-2012 06:17 PM

MailScanner member admin is online now

User

16-07-2012 06:31 PM

MailScanner member admin is online now

User

16-07-2012 06:37 PM

MailScanner member admin is online now

User

16-07-2012 07:03 PM

MailScanner member admin is online now

User

16-07-2012 07:59 PM

MailScanner member admin is online now

User

16-07-2012 08:13 PM

MailScanner member admin is online now

User

16-07-2012 08:22 PM

MailScanner member admin is online now

User

#10

17-07-2012 08:56 AM

MailScanner member admin is online now

User

Hello,

We have a client send us email with zipped attachment. It contain files
like:
file1.shp.xml
file2.kmz.kml

I added two lines on the bottom of the filename.rules.conf:
allow \.shp\.xml$ - -
allow \.kmz\.kml$ - -

But the MailScanner still detect them as "Bad Filename" and drop them
into quarantine:

MessageID: 5482680A2.A554E
Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml)

How can I let MailScanner know these are safe file name and let them
pass through?

Thanks

Gao

--

--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
Gao,

Try putting your lines at the start of the file instead. This might resolve your problem.

Denis
PS: Don't forget to restart MS afterwards.

______________________________
Denis Beauchemin
Architecte technologique - Infrastructure des serveurs
Service des technologies de l�information
Universit� de Sherbrooke

T�l.�: 819 821-8000, poste 62252
Courriel�:

> -----Message d'origine-----
> De�: mailscanner- [mailto:mailscanner-
> ] De la part de J Gao
> Envoy�: 16 juillet 2012 12:52
> ��:
> Objet�: How to allow double extension file?
>
> Hello,
>
> We have a client send us email with zipped attachment. It contain files
> like:
> file1.shp.xml
> file2.kmz.kml
>
> I added two lines on the bottom of the filename.rules.conf:
> allow \.shp\.xml$ - -
> allow \.kmz\.kml$ - -
>
> But the MailScanner still detect them as "Bad Filename" and drop them into
> quarantine:
>
> MessageID: 5482680A2.A554E
> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> Report: MailScanner: Attempt to hide real filename extension
> (aral.shp.xml)
>
>
>
> How can I let MailScanner know these are safe file name and let them pass
> through?
>
> Thanks
>
> Gao
>
> --
>
> --
> MailScanner mailing list
>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
On Mon, Jul 16, 2012 at 09:32:53AM -0700, J Gao wrote:
> Hello,
>
> We have a client send us email with zipped attachment. It contain files
> like:
> file1.shp.xml
> file2.kmz.kml
>
> I added two lines on the bottom of the filename.rules.conf:
> allow \.shp\.xml$ - -
> allow \.kmz\.kml$ - -
>
> But the MailScanner still detect them as "Bad Filename" and drop them
> into quarantine:
>
> MessageID: 5482680A2.A554E
> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml)
>
>
>
> How can I let MailScanner know these are safe file name and let them
> pass through?

Move those two lines from the bottom, after all the "deny" rules, up
before the "deny" rules -- or at least before any "deny" rules which
might match the filenames and cause detection as a bad filename.

--
Mike Andrews, W5EGO

Tired old sysadmin
--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
On Mon, Jul 16, 2012 at 10:32 AM, J Gao <> wrote:

> Hello,
>
> I added two lines on the bottom of the filename.rules.conf:
> allow \.shp\.xml$ - -
> allow \.kmz\.kml$ - -
>
> But the MailScanner still detect them as "Bad Filename" and drop them
> into quarantine:
>
> MessageID: 5482680A2.A554E
> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> Report: MailScanner: Attempt to hide real filename extension
> (aral.shp.xml)
>

Trying making sure to add it above the line:

# Deny all other double file extensions. This catches any hidden filenames.
allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
hiding Attempt to possibly hide real filename
extension

Chris

On Mon, Jul 16, 2012 at 6:32 PM, J Gao <> wrote:
> Hello,
>
> We have a client send us email with zipped attachment. It contain files
> like:
> file1.shp.xml
> file2.kmz.kml
>
> I added two lines on the bottom of the filename.rules.conf:
> allow \.shp\.xml$ - -
> allow \.kmz\.kml$ - -
>
> But the MailScanner still detect them as "Bad Filename" and drop them
> into quarantine:
>
> MessageID: 5482680A2.A554E
> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml)
>
>
>
> How can I let MailScanner know these are safe file name and let them
> pass through?

By placing them _above_ the double extension rule.

/peter
--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
Put the rules at the top so they get hit first.

Dont forget to restart mailscanner afterwards

Martin

On Monday, 16 July 2012, Chris Stone wrote:

>
> On Mon, Jul 16, 2012 at 10:32 AM, J Gao <
> > wrote:
>
>> Hello,
>>
>> I added two lines on the bottom of the filename.rules.conf:
>> allow \.shp\.xml$ - -
>> allow \.kmz\.kml$ - -
>>
>> But the MailScanner still detect them as "Bad Filename" and drop them
>> into quarantine:
>>
>> MessageID: 5482680A2.A554E
>> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
>> Report: MailScanner: Attempt to hide real filename extension
>> (aral.shp.xml)
>>
>
> Trying making sure to add it above the line:
>
> # Deny all other double file extensions. This catches any hidden filenames.
> allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
> hiding Attempt to possibly hide real filename
> extension
>
>
> Chris
>

--
--
Martin Hepworth, CISSP
Oxford, UK

On 12-07-16 10:37 AM, Peter Bonivart wrote:
> By placing them_above_ the double extension rule.
>
> /peter
> --

Well, I tried all you guys suggestion and I still get trouble when I
test the rule. I restarted MailScanner every time after modify the file.

Here I put a tiny test file online. This zip file contain a single
.sha.xml file. (This is generated by some program in Windows). Anyway
you can see that just a flat XML file but just with a double extension
file name:
http://dl.dropbox.com/u/3442771/test.zip

BTW, even I enable (although I don't like the idea):

# Deny all other double file extensions. This catches any hidden filenames.
allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
hiding

It's still block my test.zip file!

Could someone can test is with my test.zip file above and let me know
the solution?

Thanks a lot.

Gao

--

--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
On 12-07-16 09:32 AM, J Gao wrote:
> Hello,
>
> We have a client send us email with zipped attachment. It contain files
> like:
> file1.shp.xml
> file2.kmz.kml
>
> I added two lines on the bottom of the filename.rules.conf:
> allow \.shp\.xml$ - -
> allow \.kmz\.kml$ - -
>
> But the MailScanner still detect them as "Bad Filename" and drop them
> into quarantine:
>
> MessageID: 5482680A2.A554E
> Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> Report: MailScanner: Attempt to hide real filename extension (aral.shp.xml)
>
>
>
> How can I let MailScanner know these are safe file name and let them
> pass through?
>
> Thanks
>
> Gao
>

Well, I tried all you guys suggestion and I still get trouble when I
test the rule. I restarted MailScanner every time after modify the file.

Here I put a tiny test file online. This zip file contain a single
.shp.xml file. (This is generated by some program in Windows). Anyway
you can see that just a flat XML file but just with a double extension
file name:
http://dl.dropbox.com/u/3442771/test.zip

BTW, even I enable (although I don't like the idea):

# Deny all other double file extensions. This catches any hidden filenames.
allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
hiding

It's still block my test.zip file!

Could someone can test is with my test.zip file above and let me know
the solution?

Thanks a lot.

Gao

[UPDATE]

I just tried to put the rule on the very beginning of the conf file:

test result:
1. zip file still get blocked!
2. BUT if I attach the .shp.xml file without zip it, it passed!

So there is something going on with the unzip/scan ?

Gao

--

--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
On 12-07-16 11:03 AM, Martin Hepworth wrote:
> Put the rules at the top so they get hit first.
>
> Dont forget to restart mailscanner afterwards
>
> Martin
>
> On Monday, 16 July 2012, Chris Stone wrote:
>
>
> On Mon, Jul 16, 2012 at 10:32 AM, J Gao <
> > wrote:
>
> Hello,
>
> I added two lines on the bottom of the filename.rules.conf:
> allow \.shp\.xml$ - -
> allow \.kmz\.kml$ - -
>
> But the MailScanner still detect them as "Bad Filename" and drop
> them
> into quarantine:
>
> MessageID: 5482680A2.A554E
> Quarantine:
> /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> Report: MailScanner: Attempt to hide real filename
> extension (aral.shp.xml)
>
>
> Trying making sure to add it above the line:
>
> # Deny all other double file extensions. This catches any hidden
> filenames.
> allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible
> filename hiding Attempt to possibly hide
> real filename extension
>
>
> Chris
>
>
>
> --
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>

I replied but my mail doesn't shows. ??? I include a URL for the
test.zip file in dropbox, so it's been filtered out?

[UPDATE]

I just tried to put the rule on the very beginning of the conf file:

test result:
1. zip file still get blocked!
2. BUT if I attach the .shp.xml file without zip it, it passed!

So there is something going on with the unzip/scan ?

Gao

--

--
MailScanner mailing list

http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
)
filename.rules.conf
filetype.rules.conf
*archives.filename.rules.conf*
archives.filetype.rules.conf

Which one were you editing?

On 16 July 2012 21:13, J Gao <> wrote:

> On 12-07-16 09:32 AM, J Gao wrote:
> > Hello,
> >
> > We have a client send us email with zipped attachment. It contain files
> > like:
> > file1.shp.xml
> > file2.kmz.kml
> >
> > I added two lines on the bottom of the filename.rules.conf:
> > allow \.shp\.xml$ - -
> > allow \.kmz\.kml$ - -
> >
> > But the MailScanner still detect them as "Bad Filename" and drop them
> > into quarantine:
> >
> > MessageID: 5482680A2.A554E
> > Quarantine: /var/spool/MailScanner/quarantine/20120713/5482680A2.A554E
> > Report: MailScanner: Attempt to hide real filename extension
> (aral.shp.xml)
> >
> >
> >
> > How can I let MailScanner know these are safe file name and let them
> > pass through?
> >
> > Thanks
> >
> > Gao
> >
>
> Well, I tried all you guys suggestion and I still get trouble when I
> test the rule. I restarted MailScanner every time after modify the file.
>
> Here I put a tiny test file online. This zip file contain a single
> .shp.xml file. (This is generated by some program in Windows). Anyway
> you can see that just a flat XML file but just with a double extension
> file name:
> http://dl.dropbox.com/u/3442771/test.zip
>
> BTW, even I enable (although I don't like the idea):
>
> # Deny all other double file extensions. This catches any hidden filenames.
> allow \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
> hiding
>
> It's still block my test.zip file!
>
> Could someone can test is with my test.zip file above and let me know
> the solution?
>
> Thanks a lot.
>
> Gao
>
>
>
> [UPDATE]
>
> I just tried to put the rule on the very beginning of the conf file:
>
> test result:
> 1. zip file still get blocked!
> 2. BUT if I attach the .shp.xml file without zip it, it passed!
>
> So there is something going on with the unzip/scan ?
>
> Gao
>
>
>
>
> --
>
> --
> MailScanner mailing list
>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

#11

17-07-2012 11:09 PM

MailScanner member admin is online now

User

Page 1 of 1

NewsArc Lists | Culture Pages | Computing Archive | Media-Pages

Link to this page on your blog or website by copying the HTML code below and pasting it into your site:

Next Thread »