EFA-Attachment-Warning.txt

Questions and answers about how to do stuff
Post Reply
User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 18:51

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "*******************************************.INV.pdf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.

At Mon Jul 29 14:31:44 2013 the virus scanner said:
MailScanner: Attempt to hide real filename extension ("*******************************************..INV.pdf)

--
Postmaster
EFA-Project
www.efa-project.org

For all your IT requirements visit: http://www.transtec.co.uk

Is there a way to recover the attachement? Why can't the system keep it? It can keep full mimes...

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 19:18

sorry this should be moved to "Bugs"

User avatar
darky83
Site Admin
Posts: 529
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: EFA-Attachment-Warning.txt

Post by darky83 » 29 Jul 2013 19:30

In this case the double filename extension makes the system think it is an virus, and by default the system does not store virusses.
You can change this in 2 way's:

1) Keep infected files (so you can restore them)
2) just allow double file extensions so this won't happen again.


The first (keep infected files) can be changed in /etc/Mailscanner/Mailscanner.conf
Find the line that say's:

Code: Select all

Quarantine Infections = no
change it to 'yes' and restart Mailscanner.


The second (allow double file extenstions) is configured in /etc/Mailscanner/filename.rules.conf
Scroll all the way down and find the 2 lines:

Code: Select all

# Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding                          Attempt to hide real filename extension
Just comment the deny out and restart Mailscanner.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 19:37

Thank you for your quick answer!

if I quarantine infections, I'll be able to release the email if found it's not a spam and the user will not receive an email with the warning txt?

User avatar
darky83
Site Admin
Posts: 529
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: EFA-Attachment-Warning.txt

Post by darky83 » 29 Jul 2013 19:41

Yep that is correct,

But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 20:02

I got a new one (email), for blocked files. It had 5 excel attachements. I released it, and the "released" email is filled with "EFA-Attachment-Warning.txt"

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 20:10

some doc to bypass the filters when the email is sent from localhost:

http://mailwatch.sourceforge.net/doku.p ... _mailwatch

Could be added to 0.4 :)

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 20:16

I did a test on myself (with only Quarantine Infections). I get two emails with the text file, on the original submission and on the release.

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 20:47

I tested the tutorial.

The original incoming email is scanned and blocked. The user receive a warning text-file.
The released email is sent unscanned and look original.

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 29 Jul 2013 20:56

darky83 wrote:But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.
How can storing virus on a dedicated linux machine be against company policy? No user can access those.

User avatar
darky83
Site Admin
Posts: 529
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: EFA-Attachment-Warning.txt

Post by darky83 » 30 Jul 2013 13:56

How can storing virus on a dedicated linux machine be against company policy? No user can access those.
In most larger company's it is prohibited by policy to download/send viruses, that is also the reason why it is not stored by default in EFA in one of the company's I work for it is just not allowed :)
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

User avatar
sberube
Posts: 29
Joined: 25 Jul 2013 18:34
Location: Québec, Canaca
Contact:

Re: EFA-Attachment-Warning.txt

Post by sberube » 30 Jul 2013 14:34

darky83 wrote:
How can storing virus on a dedicated linux machine be against company policy? No user can access those.
In most larger company's it is prohibited by policy to download/send viruses, that is also the reason why it is not stored by default in EFA in one of the company's I work for it is just not allowed :)
How do you recover false positive then?

User avatar
darky83
Site Admin
Posts: 529
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: EFA-Attachment-Warning.txt

Post by darky83 » 30 Jul 2013 17:41

You don't, that's one of the risks accepted by the company.

(if it is a good or bad decision that is not up to me, as a sysadmin I just have to follow the rules :roll: )
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

Post Reply