Long filename rule misfire?

Matt Kettler mkettler at evi-inc.com
Sun Mar 19 00:21:49 GMT 2006


I had the "Very long filename" rule from filename.rules.conf fire off today.

Strangely, the file it complained about is only 18 characters long..
"xxxxxxx intuit.gif" (first part of filename censored, appears to be a person's
surname).

Anyone ever see this behavior?


>From the report:

Report: MailScanner: Very long filenames are good signs of attacks against
Microsoft e-mail packages (xxxxxxx intuit.gif)


And upon checking in the quarantine, that is the filename it trapped and left in
the quarantine. Odd.


Checking filename.rules.conf, it's still the 150 character rule:

# grep "Very long" filename.rules.conf
deny    .{150,}                 Very long filename, possible OE attack
                                Very long filenames are good signs of attacks
against Microsoft e-mail packages


Version info:

#MailScanner -v
Running on
Linux xanadu.evi-inc.com 2.4.27-grsec #2 Thu Aug 26 14:32:13 EDT 2004 i686 i686
i386 GNU/Linux
This is Red Hat Linux release 9 (Shrike)
This is Perl version 5.008000 (5.8.0)

This is MailScanner version 4.50.15
Module versions are:
<snip>
1.71    Mail::Header
3.05    MIME::Base64
5.419   MIME::Decoder
5.419   MIME::Decoder::UU
5.419   MIME::Head
5.419   MIME::Parser
3.03    MIME::QuotedPrint
5.419   MIME::Tools
<snip>




More information about the MailScanner mailing list