Page 1 of 2

Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 14 Jan 2022, 12:25
by idratis3
Hello
A bit related to
viewtopic.php?p=31463#p31463
that was about winmail.dat files
I see now the creation of files like 20000.dat of 310000.dat in the
/var/spool/MailScanner/quarantine/20220114/xyz
directory as a result of scanning a mail that has *not* this attachments in its source.
Then MailScanner says "Bad Filename Detected" and
"Report: MailScanner: No programs allowed (310000.dat)"
Has someone found a reason / solution for this ?
Thanks

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 15 Jan 2022, 12:38
by idratis3
Found some sources talking about this :
idratis3 wrote: 14 Jan 2022, 12:25 "Seems related to TNEF expanding set to ON
The attachments are extracted but named as follows:
MailScanner: No programs allowed (900000.dat)
MailScanner: No programs allowed (900000.dat)
Then blocked as they are .dat files.
This email had a pdf and a docx file attached.
(Source : https://forum.efa-project.org/viewtopic ... 656#p17656)
Possible solution in patching MailScanner/perl/MailScanner/SweepOther.pm
Source : https://issueexplorer.com/issue/MailScanner/v5/432
by excluding /[0-9a-fA-F]{4}\.dat$/ from "No programs allowed"
But as the .dat files seems to have the structure <number><number>0000.dat
I would prefer /[0-9]{2}0{4}\.dat$/ to limit more the exception.
but not sure this can open security risks ....

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 24 Apr 2022, 19:24
by Jamas
I have been running into the same issue recently. I found the same thread that you did but it looks as if the version of MailScanner available through ConfigServer is older (5.3.3) and that there has been some improvement in dat file handling in the 5.4 version.

I am also confused as to why these files are being created. In my case the original emails just have a single .docx attachement. The sender is using the outlook.com mail service. I have tried to reproduce the issue using my own outlook.com based account but can't get the issue to trigger.

Did you try disabling the TNEF expansion to see if that helped. I am going to give that a try.

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 18 Jan 2023, 05:02
by oempire
Im also seeing this lately

however i have (with tabs)

allow dat - -


in my /usr/mailscanner/etc/filetype.rules.conf


i still seeing it complaining about this - anyone have any idea?

mine shows

MailScanner: No programs allowed (550000.dat)
MailScanner: No programs allowed (550000.dat) MailScanner: No programs allowed (570001.dat)
MailScanner: No programs allowed (570001.dat)

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 12 May 2023, 16:18
by sportsman40+
Hi everyone

this is 2023 and I am running into the same issue

MailScanner 5.4.4 on cPanel with Confirserver Front end
MailScanner: No programs allowed (170000.dat) MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (190001.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (620000.dat)
MailScanner: No programs allowed (930000.dat)
MailScanner: No programs allowed (170000.dat)

In archive with Xlsx, docx and pdf files

if anyone could help resolve I would be grateful

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 14 May 2023, 06:58
by Sergio
If you are sure that you want to allow .dat files in your emails, you can try modifying:
/usr/mailscanner/etc/filename.rules.conf
and add a line like this:

Code: Select all

allow	\.dat$			-	-
after saving the changes, restart MailScanner.

Sergio

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 15 May 2023, 08:31
by sportsman40+
Hi Sergio

Thanks for the reply. I did as suggested

Date: Mon May 15 09:16:24 2023

One or more of the attachments (150000.dat, Annex C - BOQ UNICEF Teach Program Options 2.xlsx) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: Report: MailScanner: No programs allowed (150000.dat)

Still got that bounce

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 15 May 2023, 14:28
by Sergio
Did you restarted MailScanner after doing the modification?

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 15 May 2023, 15:05
by sportsman40+
Hi Sergio,

Yes I have - even tried this on 5 other servers that i have ConfigServer MailScanner Front-End v9.23 installed.

dat files still get blocked from any Microsoft document

Re: Creation of "number.dat" files not present in mailsource, that then trigger "Bad Filename Detected"

Posted: 15 May 2023, 16:20
by Sarah
The files are being blocked by the fileTYPE checking.

Microsoft documents often cause this problem. You can disable extracting of Microsoft documents by setting "Unpack Microsoft Documents" in the MailScanner Configuration to no, and see if that resolves the issue. If that doesn't work, you can disable scanning within archives by setting Maximum Archive Depth" to 0 in the MailScanner configuration. Archives will still be scanned for viruses (if you have clamd installed and enabled) but they won't be scanned for potentially dangerous filetypes and filenames.

Regards,
Sarah