Curious case of the non-existent file attachment

Jim Holland mailscanner at mango.zw
Tue Sep 19 09:49:35 IST 2006 

Hi Julian

For information and possible comment.

I am running:

Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686 
unknown
This is Red Hat Linux release 7.1 (Seawolf)
This is Perl version 5.006001 (5.6.1)
This is MailScanner version 4.56.1

with sendmail 8.13.8

I noticed one message had the following file attachment removed:

	"coworker when .nbs"

because:

	Very long filenames are good signs of attacks against Microsoft 
e-mail packages (coworker when .nbs)

The message was delivered with the following standard warning:

> The original e-mail attachment: "msg-29197-197.html"
> is on the list of unacceptable attachments for this site and has been
> replaced by this warning message.
>
> At Mon Sep 18 08:19:57 2006 the virus scanner said:
>    MailScanner: Very long filenames are good signs of attacks against 
> Microsoft e-mail packages (coworker when .nbs)

However there is no such file in the message.

The entry in the maillog file includes:

Sep 18 08:20:01 mail MailScanner[29197]: Filename Checks: Very long
filename, possible OE attack (k8I6JYet004116 to look like Vienna
sausages.<br><br>I will be brutally honest with my
girlfriend/sister/coworker when she asks<br>me if her feet are too ugly to
wear sandals.&nbsp; Someone has to tell her that<br>her toes are as long
as my fingers and no sandal makes creepy feet look)

Sep 18 08:20:01 mail MailScanner[29197]: HTML Img tag found in message 
k8I6JYet004116 from user at gmail.com

Sep 18 08:20:01 mail MailScanner[29197]: Saved entire message to 
/var/spool/MailScanner/quarantine/20060918/k8I6JYet004116

Sep 18 08:20:01 mail MailScanner[29197]: Saved infected "coworker when .nbs"
to /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116

Sep 18 08:20:01 mail MailScanner[29197]: Saved infected "msg-29197-197.html"
to /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116


So for some reason MailScanner has interpreted part of a line in an html 
attachment as being a separate attachment:

coworker when she asks<br>me if her feet are too ugly to wear sandals.&nbsp;

It doesn't look like anything serious, but a curious anomaly.  (Now if 
only I could really understand your Perl code :-)

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list