The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mailscannner filename exception rule?

Discussion in 'E-mail Discussions' started by dory36, Jan 14, 2005.

  1. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    We've been lucky to have almost a zero false alarm rate with our virus scanning with ClamAV and MailScanner.

    There is one set of files that comes top me by email periodically that always trips the trigger; it contains two atachments, xxx-1-2-3.zip and yyy.inc.php. (The 1-2-3 part is a version number, and changes each time.)

    I always get the message "The original e-mail attachment "xxx-1-2-3.zip"
    is on the list of unacceptable attachments for this site and has been
    replaced by this warning message ... At Fri Jan 14 03:48:50 2005 the virus scanner said:
    Attempt to hide real filename extension (yyy.inc.php)


    What rule(s) can I add, and where, to allow this specific set of files without opening up a loophole for all the "resume.doc .com" and similar attacks?

    Thanks - Bill
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Bill,

    My latest release of MailScanner includes the following two rulesets:

    /usr/mailscanner/etc/rules/filetype.rules.rules
    /usr/mailscanner/etc/rules/filename.rules.rules

    You can put exception into these files (at the top) for specific senders/recipients using:

    From: x@y.com and To: a@b.com /usr/mailscanner/etc/filetype.no.rules.conf

    This will then skip filename and filetype checking for any email from/to the email address combination listed. It will mean that the email is still virus scanned, though again, an exception rule could be put at the top of:

    /usr/mailscanner/etc/rules/virus.scanning.rules

    The exception would look similar to the above:

    From: x@y.com and To: a@b.com no

    Modifying any of these files would require a reload of MailScanner:

    service MailScanner reload

    You should obviously only ever do this for email from trusted sources.
     

Share This Page