Virus and filename conflation

[David Lee]

(MS version 4.50.14)

An inbound email for one of our users recently disappeared into a black
hole.  This turns out to be repeatable.  The inbound email had an
attachement "enable.jar".  The sendmail logs showed:
   Filename Checks: Very long filename, possible OE attack (...)

but the "...", which was, indeed, very long (154 characters) wasn't that
"enable.jar", rather of the form "path/to/some/verylongfile(blah).class".

Our "filename.rules.conf" has, near the top, the default setting:
   deny(tab).{150,}(tab)...(tab)...

That triggers MS to mark it as a pseudo-virus:
   Infected Header Value    = Found to be infected

Therein, I think, lies the problem.

The comments around that ".{150,}" rule say:
   # So very long filenames must be denied regardless of the final extension.

so naturally, because of the strength of this comment, it seems wise for
us to keep this as "deny".  (By contrast, we specifically comment out (i.e
implicitly "allow") most of the other "deny" clauses.)

But for MS to mark this as a pseudo-virus ("Found to be infected") seems
dubious.  The "procmail" scripts that many of our users have then use this
header value (whose semantics are "I am a nasty virus") to put such emails
straight into "/dev/null".

In other words, MS has conflated "{Virus?}" and "{Filename?}" issues onto
a single "Infected Header Value".

1. How paranoid should we be about the ".{150,}" and its dire warnings?

2. Does MS need (yet) another configuration variable alongside
 "Infected Header Value"?


Have I overlooked something?


-- 

:  David Lee                                I.T. Service          :
:  Senior Systems Programmer                Computer Centre       :
:                                           Durham University     :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham DH1 3LE        :
:  Phone: +44 191 334 2752                  U.K.                  :