Virus and filename conflation
David Lee
t.d.lee at durham.ac.uk
Fri Apr 21 18:08:28 IST 2006
(MS version 4.50.14)
An inbound email for one of our users recently disappeared into a black
hole. This turns out to be repeatable. The inbound email had an
attachement "enable.jar". The sendmail logs showed:
Filename Checks: Very long filename, possible OE attack (...)
but the "...", which was, indeed, very long (154 characters) wasn't that
"enable.jar", rather of the form "path/to/some/verylongfile(blah).class".
Our "filename.rules.conf" has, near the top, the default setting:
deny(tab).{150,}(tab)...(tab)...
That triggers MS to mark it as a pseudo-virus:
Infected Header Value = Found to be infected
Therein, I think, lies the problem.
The comments around that ".{150,}" rule say:
# So very long filenames must be denied regardless of the final extension.
so naturally, because of the strength of this comment, it seems wise for
us to keep this as "deny". (By contrast, we specifically comment out (i.e
implicitly "allow") most of the other "deny" clauses.)
But for MS to mark this as a pseudo-virus ("Found to be infected") seems
dubious. The "procmail" scripts that many of our users have then use this
header value (whose semantics are "I am a nasty virus") to put such emails
straight into "/dev/null".
In other words, MS has conflated "{Virus?}" and "{Filename?}" issues onto
a single "Infected Header Value".
1. How paranoid should we be about the ".{150,}" and its dire warnings?
2. Does MS need (yet) another configuration variable alongside
"Infected Header Value"?
Have I overlooked something?
--
: David Lee I.T. Service :
: Senior Systems Programmer Computer Centre :
: Durham University :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham DH1 3LE :
: Phone: +44 191 334 2752 U.K. :
More information about the MailScanner
mailing list