Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mailscannner filename exception rule?

Discussion in 'E-mail Discussion' started by dory36, Jan 14, 2005.

  1. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    166
    We've been lucky to have almost a zero false alarm rate with our virus scanning with ClamAV and MailScanner.

    There is one set of files that comes top me by email periodically that always trips the trigger; it contains two atachments, xxx-1-2-3.zip and yyy.inc.php. (The 1-2-3 part is a version number, and changes each time.)

    I always get the message "The original e-mail attachment "xxx-1-2-3.zip"
    is on the list of unacceptable attachments for this site and has been
    replaced by this warning message ... At Fri Jan 14 03:48:50 2005 the virus scanner said:
    Attempt to hide real filename extension (yyy.inc.php)


    What rule(s) can I add, and where, to allow this specific set of files without opening up a loophole for all the "resume.doc .com" and similar attacks?

    Thanks - Bill
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Bill,

    My latest release of MailScanner includes the following two rulesets:

    /usr/mailscanner/etc/rules/filetype.rules.rules
    /usr/mailscanner/etc/rules/filename.rules.rules

    You can put exception into these files (at the top) for specific senders/recipients using:

    From: x@y.com and To: a@b.com /usr/mailscanner/etc/filetype.no.rules.conf

    This will then skip filename and filetype checking for any email from/to the email address combination listed. It will mean that the email is still virus scanned, though again, an exception rule could be put at the top of:

    /usr/mailscanner/etc/rules/virus.scanning.rules

    The exception would look similar to the above:

    From: x@y.com and To: a@b.com no

    Modifying any of these files would require a reload of MailScanner:

    service MailScanner reload

    You should obviously only ever do this for email from trusted sources.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice