Long filename rule misfire?

Dhawal Doshy dhawal at netmagicsolutions.com
Sun Mar 19 07:22:48 GMT 2006

Matt Kettler writes: 

> I had the "Very long filename" rule from filename.rules.conf fire off today. 
> Strangely, the file it complained about is only 18 characters long..
> "xxxxxxx intuit.gif" (first part of filename censored, appears to be a person's
> surname). 
> Anyone ever see this behavior?


This was recently discussed.. mailscanner will sanitize the filename in the 
report. It would be advisable to double check the length of the file name in 
question (either somewhere in the logs or by asking the sender). 

 - dhawal 

>>From the report:
> Report: MailScanner: Very long filenames are good signs of attacks against
> Microsoft e-mail packages (xxxxxxx intuit.gif) 
> And upon checking in the quarantine, that is the filename it trapped and left in
> the quarantine. Odd. 
> Checking filename.rules.conf, it's still the 150 character rule: 
> # grep "Very long" filename.rules.conf
> deny    .{150,}                 Very long filename, possible OE attack
>                                 Very long filenames are good signs of attacks
> against Microsoft e-mail packages 
> Version info: 
> #MailScanner -v
> Running on
> Linux xanadu.evi-inc.com 2.4.27-grsec #2 Thu Aug 26 14:32:13 EDT 2004 i686 i686
> i386 GNU/Linux
> This is Red Hat Linux release 9 (Shrike)
> This is Perl version 5.008000 (5.8.0) 
> This is MailScanner version 4.50.15
> Module versions are:
> <snip>
> 1.71    Mail::Header
> 3.05    MIME::Base64
> 5.419   MIME::Decoder
> 5.419   MIME::Decoder::UU
> 5.419   MIME::Head
> 5.419   MIME::Parser
> 3.03    MIME::QuotedPrint
> 5.419   MIME::Tools
> <snip> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner 
> Before posting, read http://wiki.mailscanner.info/posting 
> Support MailScanner development - buy the book off the website! 

**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, 
notify the sender by e-mail requesting deletion of the original message.
Further, you are not to copy, disclose, or distribute this e-mail or its
contents to any other person and any such actions are unlawful. NetMagic
Solutions Pvt. Ltd. has taken every reasonable precaution to minimize the 
of virus infection & spam, but is not liable for any damage, you may sustain
as a result of any virus in this e-mail. You should carry out your own virus
checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd.
reserves the right to monitor and review the content of all messages sent to
or from this e-mail address. 

Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
***************** End of Disclaimer *******************

More information about the MailScanner mailing list