EFA-Attachment-Warning.txt
EFA-Attachment-Warning.txt
This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "*******************************************.INV.pdf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.
Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.
At Mon Jul 29 14:31:44 2013 the virus scanner said:
MailScanner: Attempt to hide real filename extension ("*******************************************..INV.pdf)
--
Postmaster
EFA-Project
www.efa-project.org
For all your IT requirements visit: http://www.transtec.co.uk
Is there a way to recover the attachement? Why can't the system keep it? It can keep full mimes...
----------------------------------------------------------------------
The original e-mail attachment "*******************************************.INV.pdf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.
Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.
At Mon Jul 29 14:31:44 2013 the virus scanner said:
MailScanner: Attempt to hide real filename extension ("*******************************************..INV.pdf)
--
Postmaster
EFA-Project
www.efa-project.org
For all your IT requirements visit: http://www.transtec.co.uk
Is there a way to recover the attachement? Why can't the system keep it? It can keep full mimes...
Re: EFA-Attachment-Warning.txt
sorry this should be moved to "Bugs"
Re: EFA-Attachment-Warning.txt
In this case the double filename extension makes the system think it is an virus, and by default the system does not store virusses.
You can change this in 2 way's:
1) Keep infected files (so you can restore them)
2) just allow double file extensions so this won't happen again.
The first (keep infected files) can be changed in /etc/Mailscanner/Mailscanner.conf
Find the line that say's:
change it to 'yes' and restart Mailscanner.
The second (allow double file extenstions) is configured in /etc/Mailscanner/filename.rules.conf
Scroll all the way down and find the 2 lines:
Just comment the deny out and restart Mailscanner.
You can change this in 2 way's:
1) Keep infected files (so you can restore them)
2) just allow double file extensions so this won't happen again.
The first (keep infected files) can be changed in /etc/Mailscanner/Mailscanner.conf
Find the line that say's:
Code: Select all
Quarantine Infections = no
The second (allow double file extenstions) is configured in /etc/Mailscanner/filename.rules.conf
Scroll all the way down and find the 2 lines:
Code: Select all
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
Version eFa 4.x now available!
Re: EFA-Attachment-Warning.txt
Thank you for your quick answer!
if I quarantine infections, I'll be able to release the email if found it's not a spam and the user will not receive an email with the warning txt?
if I quarantine infections, I'll be able to release the email if found it's not a spam and the user will not receive an email with the warning txt?
Re: EFA-Attachment-Warning.txt
Yep that is correct,
But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.
But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.
Version eFa 4.x now available!
Re: EFA-Attachment-Warning.txt
I got a new one (email), for blocked files. It had 5 excel attachements. I released it, and the "released" email is filled with "EFA-Attachment-Warning.txt"
Re: EFA-Attachment-Warning.txt
some doc to bypass the filters when the email is sent from localhost:
http://mailwatch.sourceforge.net/doku.p ... _mailwatch
Could be added to 0.4
http://mailwatch.sourceforge.net/doku.p ... _mailwatch
Could be added to 0.4
Re: EFA-Attachment-Warning.txt
I did a test on myself (with only Quarantine Infections). I get two emails with the text file, on the original submission and on the release.
Re: EFA-Attachment-Warning.txt
I tested the tutorial.
The original incoming email is scanned and blocked. The user receive a warning text-file.
The released email is sent unscanned and look original.
The original incoming email is scanned and blocked. The user receive a warning text-file.
The released email is sent unscanned and look original.
Re: EFA-Attachment-Warning.txt
How can storing virus on a dedicated linux machine be against company policy? No user can access those.darky83 wrote:But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.
Re: EFA-Attachment-Warning.txt
In most larger company's it is prohibited by policy to download/send viruses, that is also the reason why it is not stored by default in EFA in one of the company's I work for it is just not allowedHow can storing virus on a dedicated linux machine be against company policy? No user can access those.
Version eFa 4.x now available!
Re: EFA-Attachment-Warning.txt
How do you recover false positive then?darky83 wrote:In most larger company's it is prohibited by policy to download/send viruses, that is also the reason why it is not stored by default in EFA in one of the company's I work for it is just not allowedHow can storing virus on a dedicated linux machine be against company policy? No user can access those.
Re: EFA-Attachment-Warning.txt
You don't, that's one of the risks accepted by the company.
(if it is a good or bad decision that is not up to me, as a sysadmin I just have to follow the rules )
(if it is a good or bad decision that is not up to me, as a sysadmin I just have to follow the rules )
Version eFa 4.x now available!