EFA don't block dangerous file attachment.

Report bugs and workarounds
Post Reply
buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

EFA don't block dangerous file attachment.

Post by buonleloi » 20 Apr 2017 03:51

Hi,

I had added some file extension to /etc/MailScanner/filename.rules.conf
But seem they didn't work.

Use test from http://www.emailsecuritycheck.net
4/7 can reach my inbox

Image

Image

Image

User avatar
shawniverson
Posts: 2187
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 20 Apr 2017 21:38

Restarted MailScanner?
Version 3.0.2.3 released! Update now to keep your eFa secure!

buonleloi
Posts: 7
Joined: 07 Sep 2016 06:10

Re: EFA don't block dangerous file attachment.

Post by buonleloi » 21 Apr 2017 10:33

Yes, restart many time.

User avatar
shawniverson
Posts: 2187
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: EFA don't block dangerous file attachment.

Post by shawniverson » 24 Apr 2017 23:13

Did you send a dll yourself or from this site?

They may be obfuscating the file somehow, is the reason I ask...
Version 3.0.2.3 released! Update now to keep your eFa secure!

pdwalker
Posts: 615
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker » 25 Apr 2017 06:06

test 4/7 attaches a batch file called "attached%2E" which decodes to "attached." That file cannot be run unless it is renamed to "attached.bat", so I would ignore that one.

test 5/7 attaches a batch file called "ATT00001.dll" and should be blocked, so I'd consider this a legitimate fail.

test 6/7 attaches a batch file called "attached.()bat". The extension ".()bat" won't run on a windows computer, so I wouldn't consider that a fail. You can ignore this.

test 7/7 attaches a batch file called "attached" As it has no extension, Windows won't run it. Not a legitimate fail. Ignore.

pdwalker
Posts: 615
Joined: 18 Mar 2015 09:16

Re: EFA don't block dangerous file attachment.

Post by pdwalker » 25 Apr 2017 06:17

edited /etc/MailScanner/filename.rules.conf and added (you need to change the spaces to tabs which are not preserved here):

Code: Select all

# Deny dll's
140 deny    \.dll$          Windows DLL          Dll's not allowed.
restarted mailscanner, and sent myself the dll attachment.

Result? blocked, so everything is good and in working order.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests