problems with "very long filename" rule?

Julian Field mailscanner at ecs.soton.ac.uk
Thu Dec 23 16:15:02 GMT 2004 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Dan Hollis wrote:

>On Thu, 23 Dec 2004, Peter Bonivart wrote:
>
>
>>>mailscanner should report the original filename when reporting a
>>>violation.
>>>
>>>
>>It can be risky to use the original filename if it's intended to do
>>damage.
>>
>>
>
>Only risky if it's used as filename attachment, surely putting something
>like
>
>C:\\something\really\long\filename\blablabla\yadda\file.jpg
>
>in the body of a message can't do damage? It's not a link and it's not an
>attachment.
>
>Or, you're saying I just did potentially do some damage from the above line? :-)
>
>
Ah, if only the world was that friendly. Now imagine what happens when
someone constructs a filename that includes a MIME boundary string and
possibly some MIME-encoded data as well, all in the filename. Now by
just reporting the full filename you have provided a way for them to
inject a virus into the report message.

You *never* report input data back to anyone without santising it first.
One of the basic rules of secure and defensive programming.

>
>
>>Julian always sanitize logs and other stuff generated by MS. I
>>quarantine the message as queue files so I look into the Sendmail
>>df-file to see all attachments. If you really want to know I recommend
>>you do the same but why do you need to know the original name? It tells
>>you the reason for blocking the message, do you have to check if the
>>rule is working? That will get old real fast. :-)
>>
>>
>
>There are a number of problems here:
>
>1) The problem here is that while it _was_ quarantined, the body of the
>message did not say that at all. So I had to dig through filesystem. We
>are medium sized isp with many users and heavy mail load and 'find' took
>quite some time.
>
>
You know the location already. It's in the quarantine, you know the date
and you know the message id. So you don't need "find" at all, there's
only 1 place it can be.

>2) In any case it's nice to have the original ("non-safed") filename
>in order to point out to the user exactly what was wrong. I had to dig
>through gigabytes of server logs to find the original filename. (Not to
>mention the quarantine id, which was not included in the report!)
>
>
No way!

>3) And shouldnt this be a choice of the mail administrator anyways, not a
>unilateral decision of mailscanner to always mangle the filename without
>consent of the server admin?
>
>
I clearly need to protect you from yourself. No insult intended, but
it's true as a general rule. Just because you don't know a way of
breaking something, doesn't mean it can't be broken by someone who does
know.

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list