Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Discuss our MailScanner install script and MailScanner itself
Post Reply
idratis3
Junior Member
Posts: 25
Joined: 07 May 2017, 11:36

Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by idratis3 »

Hello
A bit related to
viewtopic.php?p=31463#p31463
that was about winmail.dat files
I see now the creation of files like 20000.dat of 310000.dat in the
/var/spool/MailScanner/quarantine/20220114/xyz
directory as a result of scanning a mail that has *not* this attachments in its source.
Then MailScanner says "Bad Filename Detected" and
"Report: MailScanner: No programs allowed (310000.dat)"
Has someone found a reason / solution for this ?
Thanks
idratis3
Junior Member
Posts: 25
Joined: 07 May 2017, 11:36

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Post by idratis3 »

Found some sources talking about this :
idratis3 wrote: 14 Jan 2022, 12:25 "Seems related to TNEF expanding set to ON
The attachments are extracted but named as follows:
MailScanner: No programs allowed (900000.dat)
MailScanner: No programs allowed (900000.dat)
Then blocked as they are .dat files.
This email had a pdf and a docx file attached.
(Source : https://forum.efa-project.org/viewtopic ... 656#p17656)
Possible solution in patching MailScanner/perl/MailScanner/SweepOther.pm
Source : https://issueexplorer.com/issue/MailScanner/v5/432
by excluding /[0-9a-fA-F]{4}\.dat$/ from "No programs allowed"
But as the .dat files seems to have the structure <number><number>0000.dat
I would prefer /[0-9]{2}0{4}\.dat$/ to limit more the exception.
but not sure this can open security risks ....
Post Reply