Quarantine file collisions
Malcolm Ray
M.Ray at ULCC.AC.UK
Fri Sep 12 15:32:03 IST 2003
> On Friday 12 September 2003 2:55 pm, Malcolm Ray wrote:
>
> > A minor nit:
> >
> > If 'Quarantine Whole Message' is set to 'yes', the original message is
> > quarantined in a file called 'message' in the same directory as the
> > quarantined attachments. But there seems to be no attempt (in MS 4.23-11)
> > to avoid a name collision between these, so if an attachment is called
> > 'message', this overwrites the quarantined original message.
>
> ? What MTA are you using?
>
> I don't see any 'message' files - just the df/qf pairs corresponding to
> sendmail's normal system, plus the attachments.
>
> Maybe this is different if you're not running sendmail?
>
> Just as a check, I just sent myself two different viruses in one email, but
> both with the filename "eicar.com". One got saved in the quarantine
> directory as "eicar.com", the other as "eicar-1.com". Seems pretty
> intelligent to me.
>
> Antony.
Sorry, I should have said that I'm using exim. For example, if I send
myself a message with Eicar attached as 'eicar.com', I get a directory:
/var/spool/MailScanner/quarantine/20030912/19xor8-0000nX-4Y
containing two files: one called 'eicar.com', containing the decoded
attachment, and the other called 'message', containing the original
message headers and body.
However, if I send the message again, but name the attachment 'message'
(in the content-type and content-disposition headers), the per-message
quarantine directory contains only one file, called 'message', containing
the decoded attachment.
This is with:
MailScanner 4.23-11
exim 4.22
Quarantine Infections = yes
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no
More information about the MailScanner
mailing list