Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Discuss our MailScanner install script and MailScanner itself
idratis3
Junior Member
Posts: 27
Joined: 07 May 2017, 11:36

Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by idratis3 »

Hello
A bit related to
viewtopic.php?p=31463#p31463
that was about winmail.dat files
I see now the creation of files like 20000.dat of 310000.dat in the
/var/spool/MailScanner/quarantine/20220114/xyz
directory as a result of scanning a mail that has *not* this attachments in its source.
Then MailScanner says "Bad Filename Detected" and
"Report: MailScanner: No programs allowed (310000.dat)"
Has someone found a reason / solution for this ?
Thanks
idratis3
Junior Member
Posts: 27
Joined: 07 May 2017, 11:36

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by idratis3 »

Found some sources talking about this :
idratis3 wrote: 14 Jan 2022, 12:25 "Seems related to TNEF expanding set to ON
The attachments are extracted but named as follows:
MailScanner: No programs allowed (900000.dat)
MailScanner: No programs allowed (900000.dat)
Then blocked as they are .dat files.
This email had a pdf and a docx file attached.
(Source : https://forum.efa-project.org/viewtopic ... 656#p17656)
Possible solution in patching MailScanner/perl/MailScanner/SweepOther.pm
Source : https://issueexplorer.com/issue/MailScanner/v5/432
by excluding /[0-9a-fA-F]{4}\.dat$/ from "No programs allowed"
But as the .dat files seems to have the structure <number><number>0000.dat
I would prefer /[0-9]{2}0{4}\.dat$/ to limit more the exception.
but not sure this can open security risks ....
Jamas
Junior Member
Posts: 1
Joined: 24 Apr 2022, 19:01

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by Jamas »

I have been running into the same issue recently. I found the same thread that you did but it looks as if the version of MailScanner available through ConfigServer is older (5.3.3) and that there has been some improvement in dat file handling in the 5.4 version.

I am also confused as to why these files are being created. In my case the original emails just have a single .docx attachement. The sender is using the outlook.com mail service. I have tried to reproduce the issue using my own outlook.com based account but can't get the issue to trigger.

Did you try disabling the TNEF expansion to see if that helped. I am going to give that a try.
oempire
Junior Member
Posts: 6
Joined: 11 Nov 2016, 14:15

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by oempire »

Im also seeing this lately

however i have (with tabs)

allow dat - -


in my /usr/mailscanner/etc/filetype.rules.conf


i still seeing it complaining about this - anyone have any idea?

mine shows

MailScanner: No programs allowed (550000.dat)
MailScanner: No programs allowed (550000.dat) MailScanner: No programs allowed (570001.dat)
MailScanner: No programs allowed (570001.dat)
sportsman40+
Junior Member
Posts: 4
Joined: 25 Mar 2022, 14:37

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by sportsman40+ »

Hi everyone

this is 2023 and I am running into the same issue

MailScanner 5.4.4 on cPanel with Confirserver Front end
MailScanner: No programs allowed (170000.dat) MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (170000.dat)

In archive with Xlsx, docx and pdf files

if anyone could help resolve I would be grateful
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by Sergio »

If you are sure that you want to allow .dat files in your emails, you can try modifying:
/usr/mailscanner/etc/filename.rules.conf
and add a line like this:

Code: Select all

allow	\.dat$			-	-
after saving the changes, restart MailScanner.

Sergio
sportsman40+
Junior Member
Posts: 4
Joined: 25 Mar 2022, 14:37

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by sportsman40+ »

Hi Sergio

Thanks for the reply. I did as suggested

Date: Mon May 15 09:16:24 2023

One or more of the attachments (150000.dat, Annex C - BOQ UNICEF Teach Program Options 2.xlsx) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: Report: MailScanner: No programs allowed (150000.dat)

Still got that bounce
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by Sergio »

Did you restarted MailScanner after doing the modification?
sportsman40+
Junior Member
Posts: 4
Joined: 25 Mar 2022, 14:37

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by sportsman40+ »

Hi Sergio,

Yes I have - even tried this on 5 other servers that i have ConfigServer MailScanner Front-End v9.23 installed.

dat files still get blocked from any Microsoft document
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by Sarah »

The files are being blocked by the fileTYPE checking.

Microsoft documents often cause this problem. You can disable extracting of Microsoft documents by setting "Unpack Microsoft Documents" in the MailScanner Configuration to no, and see if that resolves the issue. If that doesn't work, you can disable scanning within archives by setting Maximum Archive Depth" to 0 in the MailScanner configuration. Archives will still be scanned for viruses (if you have clamd installed and enabled) but they won't be scanned for potentially dangerous filetypes and filenames.

Regards,
Sarah
Post Reply