EFA don't block dangerous file attachment.

Report bugs and workarounds
Post Reply
buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

EFA don't block dangerous file attachment.

Post by buonleloi »

Hi,

I had added some file extension to /etc/MailScanner/filename.rules.conf
But seem they didn't work.

Use test from http://www.emailsecuritycheck.net
4/7 can reach my inbox

Image

Image

Image
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson »

Restarted MailScanner?
buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

Re: EFA don't block dangerous file attachment.

Post by buonleloi »

Yes, restart many time.
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson »

Did you send a dll yourself or from this site?

They may be obfuscating the file somehow, is the reason I ask...
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker »

test 4/7 attaches a batch file called "attached%2E" which decodes to "attached." That file cannot be run unless it is renamed to "attached.bat", so I would ignore that one.

test 5/7 attaches a batch file called "ATT00001.dll" and should be blocked, so I'd consider this a legitimate fail.

test 6/7 attaches a batch file called "attached.()bat". The extension ".()bat" won't run on a windows computer, so I wouldn't consider that a fail. You can ignore this.

test 7/7 attaches a batch file called "attached" As it has no extension, Windows won't run it. Not a legitimate fail. Ignore.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker »

edited /etc/MailScanner/filename.rules.conf and added (you need to change the spaces to tabs which are not preserved here):

Code: Select all

# Deny dll's
140 deny    \.dll$          Windows DLL          Dll's not allowed.
restarted mailscanner, and sent myself the dll attachment.

Result? blocked, so everything is good and in working order.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: EFA don't block dangerous file attachment.

Post by omer »

Hi,

I try as you suggest. But since I restarted the MailScanner service it gives an error like this.

Code: Select all

[root@gw omer]# nano /etc/MailScanner/filename.rules.conf
[root@gw omer]# /etc/init.d/mailscanner restart
Restarting MailScanner ...
 

Possible syntax error on line 140 of /etc/MailScanner/filename.rules.conf at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1672
Remember to separate fields with tab characters! at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1674

MailScanner restarted with process id 14923
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson »

You have a typo, and it is telling you where the typo is.
Post Reply