EFA don't block dangerous file attachment.

Report bugs and workarounds
Post Reply
buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

EFA don't block dangerous file attachment.

Post by buonleloi » 20 Apr 2017 03:51

Hi,

I had added some file extension to /etc/MailScanner/filename.rules.conf
But seem they didn't work.

Use test from http://www.emailsecuritycheck.net
4/7 can reach my inbox

Image

Image

Image

User avatar
shawniverson
Posts: 2397
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 20 Apr 2017 21:38

Restarted MailScanner?
Version 3.0.2.5 released! Update now to keep your eFa secure!

buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

Re: EFA don't block dangerous file attachment.

Post by buonleloi » 21 Apr 2017 10:33

Yes, restart many time.

User avatar
shawniverson
Posts: 2397
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 24 Apr 2017 23:13

Did you send a dll yourself or from this site?

They may be obfuscating the file somehow, is the reason I ask...
Version 3.0.2.5 released! Update now to keep your eFa secure!

User avatar
pdwalker
Posts: 822
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker » 25 Apr 2017 06:06

test 4/7 attaches a batch file called "attached%2E" which decodes to "attached." That file cannot be run unless it is renamed to "attached.bat", so I would ignore that one.

test 5/7 attaches a batch file called "ATT00001.dll" and should be blocked, so I'd consider this a legitimate fail.

test 6/7 attaches a batch file called "attached.()bat". The extension ".()bat" won't run on a windows computer, so I wouldn't consider that a fail. You can ignore this.

test 7/7 attaches a batch file called "attached" As it has no extension, Windows won't run it. Not a legitimate fail. Ignore.

User avatar
pdwalker
Posts: 822
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker » 25 Apr 2017 06:17

edited /etc/MailScanner/filename.rules.conf and added (you need to change the spaces to tabs which are not preserved here):

Code: Select all

# Deny dll's
140 deny    \.dll$          Windows DLL          Dll's not allowed.
restarted mailscanner, and sent myself the dll attachment.

Result? blocked, so everything is good and in working order.

Post Reply