At 13:06 -0300 23-03-2011, Ethy H. Brito wrote: >On Wed, 23 Mar 2011 16:46:41 +0100 >Tomas Charvat <t...@excello.cz> wrote: > >> Did you i got right, that you are trying to detect renamed extension by >> its extension ? ummm... sounds like mission impossible to me. > >I am not reinventing the wheel. > >from qmail-scanner home page: > > windows executable attachments ##that aren't marked## as being of MIME > type "application/....." are blocked (e.g. renaming notepade.exe > to notepade.gif and sending it as a GIF attachment would be > quarantined, as Qmail-Scanner would realise it's an executable > pretending to be something else). > >Hmmm. That lead to another question. >What if I rename notepad.exe to notepad.txt and attached it as an >"application/octet-stream" and > >.exe SIZE=-1 EXE files not allowed per Company security policy > >is on quarantine-events??? > >What should QS do?? Block it or deliver it?
Hi Ethy It would deliver it... QS identifies executables that have an incorrect mime type and the it 'should' block them if $BAD_MIME_CHECKS > 1 It is not related with the quarantine-events.txt rules Wed, 23 Mar 2011 17:28:39 CET:17022/17020: found C-T attachment filename "setuperunas copia.gif" Wed, 23 Mar 2011 17:28:39 CET:17022/17020: w_c: attachment 2: Content-Type of image/gif found Wed, 23 Mar 2011 17:28:39 CET:17022/17020: w_c: base64 looks like a Windows executable, filename=setuperunas copia.gif,type=image/gif Wed, 23 Mar 2011 17:28:39 CET:17022/17020: w_c: Disallowed executable attachment associated with "image/gif" MIME type - forged attachment Tomas is right, trying to block files with the correct mime type (Content-Type) but with a wrong extension is complicated. But QS should block your attachment if the it is an executable with 'Content-Type=image/gif'. ST >In my setup, it is delivering it and IMHO it shouldn´t. > >Regards > >Ethy ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Qmail-scanner-general mailing list Qmail-scanner-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
