Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Hello
A bit related to
viewtopic.php?p=31463#p31463
that was about winmail.dat files
I see now the creation of files like 20000.dat of 310000.dat in the
/var/spool/MailScanner/quarantine/20220114/xyz
directory as a result of scanning a mail that has *not* this attachments in its source.
Then MailScanner says "Bad Filename Detected" and
"Report: MailScanner: No programs allowed (310000.dat)"
Has someone found a reason / solution for this ?
Thanks
A bit related to
viewtopic.php?p=31463#p31463
that was about winmail.dat files
I see now the creation of files like 20000.dat of 310000.dat in the
/var/spool/MailScanner/quarantine/20220114/xyz
directory as a result of scanning a mail that has *not* this attachments in its source.
Then MailScanner says "Bad Filename Detected" and
"Report: MailScanner: No programs allowed (310000.dat)"
Has someone found a reason / solution for this ?
Thanks
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Found some sources talking about this :
Source : https://issueexplorer.com/issue/MailScanner/v5/432
by excluding /[0-9a-fA-F]{4}\.dat$/ from "No programs allowed"
But as the .dat files seems to have the structure <number><number>0000.dat
I would prefer /[0-9]{2}0{4}\.dat$/ to limit more the exception.
but not sure this can open security risks ....
Possible solution in patching MailScanner/perl/MailScanner/SweepOther.pmidratis3 wrote: ↑14 Jan 2022, 12:25 "Seems related to TNEF expanding set to ON
The attachments are extracted but named as follows:
MailScanner: No programs allowed (900000.dat)
MailScanner: No programs allowed (900000.dat)
Then blocked as they are .dat files.
This email had a pdf and a docx file attached.
(Source : https://forum.efa-project.org/viewtopic ... 656#p17656)
Source : https://issueexplorer.com/issue/MailScanner/v5/432
by excluding /[0-9a-fA-F]{4}\.dat$/ from "No programs allowed"
But as the .dat files seems to have the structure <number><number>0000.dat
I would prefer /[0-9]{2}0{4}\.dat$/ to limit more the exception.
but not sure this can open security risks ....
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
I have been running into the same issue recently. I found the same thread that you did but it looks as if the version of MailScanner available through ConfigServer is older (5.3.3) and that there has been some improvement in dat file handling in the 5.4 version.
I am also confused as to why these files are being created. In my case the original emails just have a single .docx attachement. The sender is using the outlook.com mail service. I have tried to reproduce the issue using my own outlook.com based account but can't get the issue to trigger.
Did you try disabling the TNEF expansion to see if that helped. I am going to give that a try.
I am also confused as to why these files are being created. In my case the original emails just have a single .docx attachement. The sender is using the outlook.com mail service. I have tried to reproduce the issue using my own outlook.com based account but can't get the issue to trigger.
Did you try disabling the TNEF expansion to see if that helped. I am going to give that a try.
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Im also seeing this lately
however i have (with tabs)
allow dat - -
in my /usr/mailscanner/etc/filetype.rules.conf
i still seeing it complaining about this - anyone have any idea?
mine shows
MailScanner: No programs allowed (550000.dat)
MailScanner: No programs allowed (550000.dat) MailScanner: No programs allowed (570001.dat)
MailScanner: No programs allowed (570001.dat)
however i have (with tabs)
allow dat - -
in my /usr/mailscanner/etc/filetype.rules.conf
i still seeing it complaining about this - anyone have any idea?
mine shows
MailScanner: No programs allowed (550000.dat)
MailScanner: No programs allowed (550000.dat) MailScanner: No programs allowed (570001.dat)
MailScanner: No programs allowed (570001.dat)
-
- Junior Member
- Posts: 4
- Joined: 25 Mar 2022, 14:37
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Hi everyone
this is 2023 and I am running into the same issue
MailScanner 5.4.4 on cPanel with Confirserver Front end
MailScanner: No programs allowed (170000.dat) MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (170000.dat)
In archive with Xlsx, docx and pdf files
if anyone could help resolve I would be grateful
this is 2023 and I am running into the same issue
MailScanner 5.4.4 on cPanel with Confirserver Front end
MailScanner: No programs allowed (170000.dat) MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (170000.dat)
In archive with Xlsx, docx and pdf files
if anyone could help resolve I would be grateful
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
If you are sure that you want to allow .dat files in your emails, you can try modifying:
after saving the changes, restart MailScanner.
Sergio
and add a line like this:/usr/mailscanner/etc/filename.rules.conf
Code: Select all
allow \.dat$ - -
Sergio
-
- Junior Member
- Posts: 4
- Joined: 25 Mar 2022, 14:37
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Hi Sergio
Thanks for the reply. I did as suggested
Date: Mon May 15 09:16:24 2023
One or more of the attachments (150000.dat, Annex C - BOQ UNICEF Teach Program Options 2.xlsx) are on
the list of unacceptable attachments for this site and will not have
been delivered.
Consider renaming the files to avoid this constraint.
The virus detector said this about the message:
Report: Report: MailScanner: No programs allowed (150000.dat)
Still got that bounce
Thanks for the reply. I did as suggested
Date: Mon May 15 09:16:24 2023
One or more of the attachments (150000.dat, Annex C - BOQ UNICEF Teach Program Options 2.xlsx) are on
the list of unacceptable attachments for this site and will not have
been delivered.
Consider renaming the files to avoid this constraint.
The virus detector said this about the message:
Report: Report: MailScanner: No programs allowed (150000.dat)
Still got that bounce
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Did you restarted MailScanner after doing the modification?
-
- Junior Member
- Posts: 4
- Joined: 25 Mar 2022, 14:37
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
Hi Sergio,
Yes I have - even tried this on 5 other servers that i have ConfigServer MailScanner Front-End v9.23 installed.
dat files still get blocked from any Microsoft document
Yes I have - even tried this on 5 other servers that i have ConfigServer MailScanner Front-End v9.23 installed.
dat files still get blocked from any Microsoft document
Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"
The files are being blocked by the fileTYPE checking.
Microsoft documents often cause this problem. You can disable extracting of Microsoft documents by setting "Unpack Microsoft Documents" in the MailScanner Configuration to no, and see if that resolves the issue. If that doesn't work, you can disable scanning within archives by setting Maximum Archive Depth" to 0 in the MailScanner configuration. Archives will still be scanned for viruses (if you have clamd installed and enabled) but they won't be scanned for potentially dangerous filetypes and filenames.
Regards,
Sarah
Microsoft documents often cause this problem. You can disable extracting of Microsoft documents by setting "Unpack Microsoft Documents" in the MailScanner Configuration to no, and see if that resolves the issue. If that doesn't work, you can disable scanning within archives by setting Maximum Archive Depth" to 0 in the MailScanner configuration. Archives will still be scanned for viruses (if you have clamd installed and enabled) but they won't be scanned for potentially dangerous filetypes and filenames.
Regards,
Sarah