search

MailScanner / v5

MailScanner v5
GNU General Public License v2.0
183 stars 58 forks source link

Problem with UnPackRar #405

Closed stefaweb closed 4 years ago

stefaweb commented 5 years ago

Hi!

I regularly receive a bad email that unrar can not decode and remains stuck in incoming with this error message.

Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rjnp.bin
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rqwe.dat
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rdak.ico
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rjsr.docx
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/roda.ppt
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rtne.xls
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rphq.icm
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rgdr.mp3
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rslg.msc
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/roav.txt
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rcuq.mp3
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rmpj.xls
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rrpr.xml
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rmud.bin
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rfqd.docx
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rgiv.pdf
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rpdw.jpg
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/raqg.bmp
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rhmw.exe
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/roto.xml
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rwvm.ini
Sep 16 08:22:11 antispam MailScanner[29059]: UnPackRar: Could not rename or use safe name in Extract, NOT Unpacking file /var/spool/MailScanner/incoming/29059/0CA12BC003B.AC0D8/rucu.xml

I have to manually delete it from incoming because it gets stuck in it.

Do you have an idea of the type of problem?

shawniverson commented 5 years ago

Can you share the filename?

stefaweb commented 5 years ago

Hi @shawniverson!

I received again the bad email this morning.

I have this in the /var/spool/MailScanner/incoming/ directory:

File /var/spool/MailScanner/incoming/25059/67D71BC0717.AFD36.header:

Received: from gurkan.com.tr (unknown [149.56.173.81])
    by antispam.actionweb.eu (Postfix) with ESMTP id 67D71BC0717
    for <contact@xxxx.fr>; Tue, 17 Sep 2019 09:21:40 +0200 (CEST)
From: Eymen Mustafa <info@gurkan.com.tr>
To: contact@xxxx.fr
Subject: Fwd: Copy of Proforma Invoice INV0874.PDF
Date: 17 Sep 2019 00:21:38 -0700
Message-ID: <20190917002137.929D109DE06471BB@gurkan.com.tr>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0012_355514BB.ECF5033A"

In /var/spool/MailScanner/incoming/25059/67D71BC0717.AFD36/:

-rw-rw---- 1 postfix mtagroup      1729 Sep 17 09:37 nmsg-25059-23.html
-rw-rw---- 1 postfix mtagroup   1374738 Sep 17 09:37 nProforma Invoice 0974.PDF.r00
-rw-rw---- 1 postfix mtagroup       503 Sep 17 09:37 rafc.bmp
-rw-rw---- 1 postfix mtagroup         0 Sep 17 09:37 rbci.log
-rw-rw---- 1 postfix mtagroup       586 Sep 17 09:37 rcag.ico
-rw-rw---- 1 postfix mtagroup       508 Sep 17 09:37 rcgf.mp3
-rw-rw---- 1 postfix mtagroup       554 Sep 17 09:37 rcxj.xl
-rw-rw---- 1 postfix mtagroup       575 Sep 17 09:37 rdcg.ini
-rw-rw---- 1 postfix mtagroup       569 Sep 17 09:37 rdtd.pdf
-rw-rw---- 1 postfix mtagroup       557 Sep 17 09:37 rejk.log
-rw-rw---- 1 postfix mtagroup       520 Sep 17 09:37 reos.bin
-rw-rw---- 1 postfix mtagroup       570 Sep 17 09:37 rfpx.log
-rw-rw---- 1 postfix mtagroup       542 Sep 17 09:37 rfse.cpl
-rw-rw---- 1 postfix mtagroup         0 Sep 17 09:37 rgbe.ppt
-rw-rw---- 1 postfix mtagroup       537 Sep 17 09:37 rgcn.ini
-rw-rw---- 1 postfix mtagroup       506 Sep 17 09:37 rghk.xml
-rw-rw---- 1 postfix mtagroup    727376 Sep 17 09:37 rgsq.exe
-rw-rw---- 1 postfix mtagroup       502 Sep 17 09:37 rhbx.dat
-rw-rw---- 1 postfix mtagroup       621 Sep 17 09:37 rhhe.ini
-rw-rw---- 1 postfix mtagroup       584 Sep 17 09:37 rhpe.msc
-rw-rw---- 1 postfix mtagroup       546 Sep 17 09:37 rhvs.ini
-rw-rw---- 1 postfix mtagroup       505 Sep 17 09:37 rhxl.bin
-rw-rw---- 1 postfix mtagroup       580 Sep 17 09:37 ricb.txt
-rw-rw---- 1 postfix mtagroup       588 Sep 17 09:37 rigg.log
-rw-rw---- 1 postfix mtagroup       522 Sep 17 09:37 rigx.xls
-rw-rw---- 1 postfix mtagroup       591 Sep 17 09:37 risl.xml
-rw-rw---- 1 postfix mtagroup       559 Sep 17 09:37 rivn.ico
-rw-rw---- 1 postfix mtagroup       511 Sep 17 09:37 rjqv.jpg
-rw-rw---- 1 postfix mtagroup       548 Sep 17 09:37 rjsp.jpg
-rw-rw---- 1 postfix mtagroup       508 Sep 17 09:37 rjtl.bin
-rw-rw---- 1 postfix mtagroup     12288 Sep 17 09:37 rktt.exe
-rw-rw---- 1 postfix mtagroup       612 Sep 17 09:37 rlkc.xl
-rw-rw---- 1 postfix mtagroup 245440512 Sep 17 09:37 rmkfqtm
-rw-rw---- 1 postfix mtagroup       597 Sep 17 09:37 rmqp.jpg
-rw-rw---- 1 postfix mtagroup       628 Sep 17 09:37 rmus.pdf
-rw-rw---- 1 postfix mtagroup         0 Sep 17 09:37 rnao.bmp
-rw-rw---- 1 postfix mtagroup       510 Sep 17 09:37 rnjh.txt
-rw-rw---- 1 postfix mtagroup       515 Sep 17 09:37 rnti.dat
-rw-rw---- 1 postfix mtagroup       528 Sep 17 09:37 rorg.bmp
-rw-rw---- 1 postfix mtagroup       566 Sep 17 09:37 roun.xls
-rw-rw---- 1 postfix mtagroup   1519244 Sep 17 09:37 rProformaInvoice0974.PDF.exe
-rw-rw---- 1 postfix mtagroup       541 Sep 17 09:37 rpxs.bin
-rw-rw---- 1 postfix mtagroup       606 Sep 17 09:37 rqag.ico
-rw-rw---- 1 postfix mtagroup       517 Sep 17 09:37 rqdj.mp3
-rw-rw---- 1 postfix mtagroup       564 Sep 17 09:37 rqpl.ini
-rw-rw---- 1 postfix mtagroup       618 Sep 17 09:37 rrdt.jpg
-rw-rw---- 1 postfix mtagroup       557 Sep 17 09:37 rrdw.cpl
-rw-rw---- 1 postfix mtagroup       571 Sep 17 09:37 rsfo.txt
-rw-rw---- 1 postfix mtagroup       542 Sep 17 09:37 rsgx.dat
-rw-rw---- 1 postfix mtagroup       545 Sep 17 09:37 rsnb.ico
-rw-rw---- 1 postfix mtagroup       536 Sep 17 09:37 rtmd.xml
-rw-rw---- 1 postfix mtagroup       550 Sep 17 09:37 rttk.dat
-rw-rw---- 1 postfix mtagroup       539 Sep 17 09:37 rtvr.cpl
-rw-rw---- 1 postfix mtagroup       574 Sep 17 09:37 rucw.xml
-rw-rw---- 1 postfix mtagroup       634 Sep 17 09:37 rvmj.xls
-rw-rw---- 1 postfix mtagroup       501 Sep 17 09:37 rvsk.bmp
-rw-rw---- 1 postfix mtagroup       541 Sep 17 09:37 rvsr.msc
-rw-rw---- 1 postfix mtagroup       539 Sep 17 09:37 rvxl.docx
-rw-rw---- 1 postfix mtagroup       504 Sep 17 09:37 rxec.bmp
-rw-rw---- 1 postfix mtagroup       562 Sep 17 09:37 rxeh.xl
-rw-rw---- 1 postfix mtagroup       549 Sep 17 09:37 rxmu.xls
-rw-rw---- 1 postfix mtagroup       578 Sep 17 09:37 rxoq.ini
shawniverson commented 4 years ago

@stefaweb Any chance you could get me a sample? I am struggling to make a bad rar archive that will trigger this behavior. There's something about these rar files that is particularly malicious and causing this loop.

shawniverson commented 4 years ago

@stefaweb Is this still an issue?

shawniverson commented 4 years ago

Closing as stale, if someone comes across this again let me know.