Long filename rule misfire?

Sun Mar 19 15:40:40 GMT 2006

Matt Kettler spake the following on 3/18/2006 4:21 PM:
> I had the "Very long filename" rule from filename.rules.conf fire off today.
> 
> Strangely, the file it complained about is only 18 characters long..
> "xxxxxxx intuit.gif" (first part of filename censored, appears to be a person's
> surname).
> 
> Anyone ever see this behavior?
> 
> 
>>From the report:
> 
> Report: MailScanner: Very long filenames are good signs of attacks against
> Microsoft e-mail packages (xxxxxxx intuit.gif)
> 
> 
> And upon checking in the quarantine, that is the filename it trapped and left in
> the quarantine. Odd.
> 
> 
> Checking filename.rules.conf, it's still the 150 character rule:
> 
> # grep "Very long" filename.rules.conf
> deny    .{150,}                 Very long filename, possible OE attack
>                                 Very long filenames are good signs of attacks
> against Microsoft e-mail packages
> 
> 
> Version info:
> 
> #MailScanner -v
> Running on
> Linux xanadu.evi-inc.com 2.4.27-grsec #2 Thu Aug 26 14:32:13 EDT 2004 i686 i686
> i386 GNU/Linux
> This is Red Hat Linux release 9 (Shrike)
> This is Perl version 5.008000 (5.8.0)
> 
> This is MailScanner version 4.50.15
> Module versions are:
> <snip>
> 1.71    Mail::Header
> 3.05    MIME::Base64
> 5.419   MIME::Decoder
> 5.419   MIME::Decoder::UU
> 5.419   MIME::Head
> 5.419   MIME::Parser
> 3.03    MIME::QuotedPrint
> 5.419   MIME::Tools
> <snip>
> 
> 
I have been getting a few of these. It is some sort of spam message attempt to
get past filtering IMHO.