Page 1 of 1
EFA don't block dangerous file attachment.
Posted: 20 Apr 2017 03:51
by buonleloi
Hi,
I had added some file extension to /etc/MailScanner/filename.rules.conf
But seem they didn't work.
Use test from
http://www.emailsecuritycheck.net
4/7 can reach my inbox
Re: EFA don't block dangerous file attachment.
Posted: 20 Apr 2017 21:38
by shawniverson
Restarted MailScanner?
Re: EFA don't block dangerous file attachment.
Posted: 21 Apr 2017 10:33
by buonleloi
Yes, restart many time.
Re: EFA don't block dangerous file attachment.
Posted: 24 Apr 2017 23:13
by shawniverson
Did you send a dll yourself or from this site?
They may be obfuscating the file somehow, is the reason I ask...
Re: EFA don't block dangerous file attachment.
Posted: 25 Apr 2017 06:06
by pdwalker
test 4/7 attaches a batch file called "attached%2E" which decodes to "attached." That file cannot be run unless it is renamed to "attached.bat", so I would ignore that one.
test 5/7 attaches a batch file called "ATT00001.dll" and should be blocked, so I'd consider this a legitimate fail.
test 6/7 attaches a batch file called "attached.()bat". The extension ".()bat" won't run on a windows computer, so I wouldn't consider that a fail. You can ignore this.
test 7/7 attaches a batch file called "attached" As it has no extension, Windows won't run it. Not a legitimate fail. Ignore.
Re: EFA don't block dangerous file attachment.
Posted: 25 Apr 2017 06:17
by pdwalker
edited /etc/MailScanner/filename.rules.conf and added (you need to change the spaces to tabs which are not preserved here):
Code: Select all
# Deny dll's
140 deny \.dll$ Windows DLL Dll's not allowed.
restarted mailscanner, and sent myself the dll attachment.
Result? blocked, so everything is good and in working order.
Re: EFA don't block dangerous file attachment.
Posted: 29 Aug 2020 06:58
by omer
Hi,
I try as you suggest. But since I restarted the MailScanner service it gives an error like this.
Code: Select all
[root@gw omer]# nano /etc/MailScanner/filename.rules.conf
[root@gw omer]# /etc/init.d/mailscanner restart
Restarting MailScanner ...
Possible syntax error on line 140 of /etc/MailScanner/filename.rules.conf at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1672
Remember to separate fields with tab characters! at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1674
MailScanner restarted with process id 14923
Re: EFA don't block dangerous file attachment.
Posted: 30 Aug 2020 11:23
by shawniverson
You have a typo, and it is telling you where the typo is.