Checking Suspected E-Mails

Julian Field MailScanner at
Tue Jun 20 08:50:10 IST 2006

On 20 Jun 2006, at 00:47, Matt Kettler wrote:

> Rick Chadderdon wrote:
> <snip, lots of stuff we basically agree on. However, your platform  
> assumption
> argument isn't 100% valid.>
>> To bring this back onto topic:  Andrew's original problem wasn't the
>> format of the resume, it was the fact that the filename of the resume
>> contained a CLSID string.  If someone sent me a resume with the  
>> filename
>> "TIBOR_BERNER{3EDC67F9-93A4-42C3-AEC1-502D90D9A895}.html", I would be
>> likely to delete it unread, even if it did make it past MailScanner.
> True. I'd agree 100%. There are some filenames that are just over  
> the top.
> However, consider if it was something like "Resume-kettler.matt.pdf".
> You can't take the platform assumption argument, other than that  
> I'm assuming
> you're using a graphical OS. (ok, I'm assuming you're not using a  
> dumb terminal
> connected to a VAX...)
> There's certainly nothing suspect, or even out of the ordinary,  
> about that
> filename.
> The filetype itself is not amenable to carrying attacks. (it's not  
> able to carry
> over-powered macros that can do more-or-less anything like word  
> documents)
> However, that file name would be blocked by the default  
> filename.rules.conf.

No it won't.

> There's no default "allow" rule for pdf's and ".matt.pdf" would  
> match the
> default "double extension" rule.

Read it carefully. It stops .xx.yyy and .xxx.yyy. It does not  
stop .xxxx.yyy.

> For reference, the default double-extension rule is:
>   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$
> The filename would be unreasonably blocked by MailScanner.

No it won't.

Julian Field
Buy the MailScanner book at
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list