jar files in zip

Questions and answers about how to do stuff
Post Reply
dturbo
Posts: 13
Joined: 24 Aug 2016 10:23

jar files in zip

Post by dturbo »

Hi folks,

Got an email through today marked as clean, which had a zipped jar file in it. I have no idea how to check where the settings are for rejecting such things - I googled some stuff, and saw posts relating to mailscanner, but I can't see any of the directives (such as archive depth, file types blocked etc) inside the conf files (eg mailscanner.cf, local.cf etc).

Are these configured somewhere, or not configured at all and it's up to us to add this stuff? If so, can someone advise me of how to go about blocking different file types?

Thanks
Craig
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: jar files in zip

Post by skoppes »

I also ran into this previously - EFA doesn't (didn't?) look inside ZIP files by default. I don't know if the default behavior has changed yet or not.

The workaround is located here:
viewtopic.php?f=13&t=1210

Make the following config change (unless an update has changed it from 0 as default?):

Code: Select all

Edit: /etc/MailScanner/MailScanner.conf
Change: Maximum Archive Depth
From: 0
To: 2
Restart MailScanner

Code: Select all

sudo service MailScanner restart
Good luck!
dturbo
Posts: 13
Joined: 24 Aug 2016 10:23

Re: jar files in zip

Post by dturbo »

I've just done that. Will now test it. To be honest, the thing I am finding most confusing trying to configure all this, is the seemingly various conf file locations - this one in /etc/MailScanner and then there is mailscanner.conf in /etc/mail/spamassassin and also in there is local.cf

I never know where to put configuration stuff, to avoid the 'overwrite when updating' issue. I feel the documentation is a bit lacking in this respect. Any good rules to follow regarding where to make changes? Eg, if 0 is the default setting for this value (archive depth) then will /etc/Mailscanner/Mailscanner.conf get overwritten at an update? Should I be putting it in local.cf or mailscanner.cf in /etc/mail/spamassassin instead? Do these take precedence? I don't understand!!

Thanks :-)
Craig
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: jar files in zip

Post by skoppes »

I'm still rather new to everything in EFA (been using it for ~1.5 years) and find myself asking the same questions. My best advice would be to document your changes, so you can look back at them in the future. I've certainly found files in some odd places too! It doesn't help that the forum search feature is rather picky. A better way to search is directly from Google, including the 'site:forum.efa-project.org' parameter along with your query.

The good news is that changes in this file seem to persist across upgrades. In fact, most changes I've made seem to be persistent thus far. Who knows what the future holds.

The 'cost' of something free is often in figuring out how to use and work with it.

Best of luck!
dturbo
Posts: 13
Joined: 24 Aug 2016 10:23

Re: jar files in zip

Post by dturbo »

Thanks for the advice. Just had time to test it before I headed out the door, and it did catch the mail now, however not for the reason I expected!
It was caught unde 'other infection' , with the Report field saying "message contained archive nested too deeply".

Any ideas? The jar file was just directly inside the zip file, so I don't understand this message.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: jar files in zip

Post by shawniverson »

Increase the depth for archive scanning?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: jar files in zip

Post by pdwalker »

A jar file is another kind of zip file.

As Shawn says, increase the archive scanning depth.
dturbo
Posts: 13
Joined: 24 Aug 2016 10:23

Re: jar files in zip

Post by dturbo »

Cool.Seem to have it working now. If the jar is like a zip inside a zip, then I thought 2 would still have done it? no matter, have put it up to 5. After that, tested again and the mail got through clean! .... Weird I thought, so then I rechecked what I had put in the archives filename rules, and noticed that I had not put anything for the two descriptive fields. I now think that the jar rule I had added was ignored, as it was incomplete, and the first time it was 'caught' was just as a result of failing to decompress it through nesting. The rules are tab separated, and other entries which had no descriptions had a ' - ' in those fields. Added the '- ' and tried again, and it found it. I have now put descriptions in, as it is useful due to the fact it shows up in the spamassassin report field when you look at the message detail.

One strange thing though - I added a .jar entry in the filenames rules too - thinking it would be good to make sure that if a jar was sent outwith a zip, that it would get picked up too. I tested, by sending a zipped jar and then a directly attached jar. Picked them both up, but now on the one with the zipped jar, there are two entries as if it was deteced twice. Is this because the archives rule finds it inside the zip, then when the unzipped files are checked the filenames rule finds it again?

Cheers
Craig
Post Reply