efa-project.org

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "*******************************************.INV.pdf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the original attachment.

At Mon Jul 29 14:31:44 2013 the virus scanner said:
MailScanner: Attempt to hide real filename extension ("*******************************************..INV.pdf)

--
Postmaster
EFA-Project
www.efa-project.org

For all your IT requirements visit: http://www.transtec.co.uk

Is there a way to recover the attachement? Why can't the system keep it? It can keep full mimes...

sorry this should be moved to "Bugs"

In this case the double filename extension makes the system think it is an virus, and by default the system does not store virusses.
You can change this in 2 way's:

1) Keep infected files (so you can restore them)
2) just allow double file extensions so this won't happen again.


The first (keep infected files) can be changed in /etc/Mailscanner/Mailscanner.conf
Find the line that say's: change it to 'yes' and restart Mailscanner.


The second (allow double file extenstions) is configured in /etc/Mailscanner/filename.rules.conf
Scroll all the way down and find the 2 lines:
Just comment the deny out and restart Mailscanner.

Thank you for your quick answer!

if I quarantine infections, I'll be able to release the email if found it's not a spam and the user will not receive an email with the warning txt?

Yep that is correct,

But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.

I got a new one (email), for blocked files. It had 5 excel attachements. I released it, and the "released" email is filled with "EFA-Attachment-Warning.txt"

some doc to bypass the filters when the email is sent from localhost:

http://mailwatch.sourceforge.net/doku.p ... _mailwatch

Could be added to 0.4

I did a test on myself (with only Quarantine Infections). I get two emails with the text file, on the original submission and on the release.

I tested the tutorial.

The original incoming email is scanned and blocked. The user receive a warning text-file.
The released email is sent unscanned and look original.

darky83 wrote:But keep in mind that you may be storing virusses, something that might not be allowed by a company policy.

How can storing virus on a dedicated linux machine be against company policy? No user can access those.

How can storing virus on a dedicated linux machine be against company policy? No user can access those.

In most larger company's it is prohibited by policy to download/send viruses, that is also the reason why it is not stored by default in EFA in one of the company's I work for it is just not allowed

darky83 wrote:

How can storing virus on a dedicated linux machine be against company policy? No user can access those.

In most larger company's it is prohibited by policy to download/send viruses, that is also the reason why it is not stored by default in EFA in one of the company's I work for it is just not allowed

How do you recover false positive then?

You don't, that's one of the risks accepted by the company.

(if it is a good or bad decision that is not up to me, as a sysadmin I just have to follow the rules )