EFA don't block dangerous file attachment.

Report bugs and workarounds
Post Reply
buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

EFA don't block dangerous file attachment.

Post by buonleloi » 20 Apr 2017 03:51

Hi,

I had added some file extension to /etc/MailScanner/filename.rules.conf
But seem they didn't work.

Use test from http://www.emailsecuritycheck.net
4/7 can reach my inbox

Image

Image

Image

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 20 Apr 2017 21:38

Restarted MailScanner?
Version eFa 4.0.2 now available!

buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

Re: EFA don't block dangerous file attachment.

Post by buonleloi » 21 Apr 2017 10:33

Yes, restart many time.

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 24 Apr 2017 23:13

Did you send a dll yourself or from this site?

They may be obfuscating the file somehow, is the reason I ask...
Version eFa 4.0.2 now available!

User avatar
pdwalker
Posts: 1320
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker » 25 Apr 2017 06:06

test 4/7 attaches a batch file called "attached%2E" which decodes to "attached." That file cannot be run unless it is renamed to "attached.bat", so I would ignore that one.

test 5/7 attaches a batch file called "ATT00001.dll" and should be blocked, so I'd consider this a legitimate fail.

test 6/7 attaches a batch file called "attached.()bat". The extension ".()bat" won't run on a windows computer, so I wouldn't consider that a fail. You can ignore this.

test 7/7 attaches a batch file called "attached" As it has no extension, Windows won't run it. Not a legitimate fail. Ignore.

User avatar
pdwalker
Posts: 1320
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker » 25 Apr 2017 06:17

edited /etc/MailScanner/filename.rules.conf and added (you need to change the spaces to tabs which are not preserved here):

Code: Select all

# Deny dll's
140 deny    \.dll$          Windows DLL          Dll's not allowed.
restarted mailscanner, and sent myself the dll attachment.

Result? blocked, so everything is good and in working order.

omer
Posts: 28
Joined: 11 Oct 2017 15:23

Re: EFA don't block dangerous file attachment.

Post by omer » 29 Aug 2020 06:58

Hi,

I try as you suggest. But since I restarted the MailScanner service it gives an error like this.

Code: Select all

[root@gw omer]# nano /etc/MailScanner/filename.rules.conf
[root@gw omer]# /etc/init.d/mailscanner restart
Restarting MailScanner ...
 

Possible syntax error on line 140 of /etc/MailScanner/filename.rules.conf at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1672
Remember to separate fields with tab characters! at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1674

MailScanner restarted with process id 14923

User avatar
shawniverson
Posts: 3147
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 30 Aug 2020 11:23

You have a typo, and it is telling you where the typo is.
Version eFa 4.0.2 now available!

Post Reply