Curious case of the non-existent file attachment

Jim Holland mailscanner at mango.zw
Tue Sep 19 10:24:05 IST 2006 

On Tue, 19 Sep 2006, Jim Holland wrote:

> Date: Tue, 19 Sep 2006 10:49:35 +0200 (CAT)
> From: Jim Holland <mailscanner at mango.zw>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner mailing list <mailscanner at lists.mailscanner.info>
> Subject: Curious case of the non-existent file attachment
> 
> Hi Julian
> 
> For information and possible comment.
> 
> I am running:
> 
> Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686 
> unknown
> This is Red Hat Linux release 7.1 (Seawolf)
> This is Perl version 5.006001 (5.6.1)
> This is MailScanner version 4.56.1
> 
> with sendmail 8.13.8
> 
> I noticed one message had the following file attachment removed:
> 
> 	"coworker when .nbs"
> 
> because:
> 
> 	Very long filenames are good signs of attacks against Microsoft 
> e-mail packages (coworker when .nbs)
> 
> The message was delivered with the following standard warning:
> 
> > The original e-mail attachment: "msg-29197-197.html"
> > is on the list of unacceptable attachments for this site and has been
> > replaced by this warning message.
> >
> > At Mon Sep 18 08:19:57 2006 the virus scanner said:
> >    MailScanner: Very long filenames are good signs of attacks against 
> > Microsoft e-mail packages (coworker when .nbs)
> 
> However there is no such file in the message.
> 
> The entry in the maillog file includes:
> 
> Sep 18 08:20:01 mail MailScanner[29197]: Filename Checks: Very long
> filename, possible OE attack (k8I6JYet004116 to look like Vienna
> sausages.<br><br>I will be brutally honest with my
> girlfriend/sister/coworker when she asks<br>me if her feet are too ugly to
> wear sandals.&nbsp; Someone has to tell her that<br>her toes are as long
> as my fingers and no sandal makes creepy feet look)
> 
> Sep 18 08:20:01 mail MailScanner[29197]: HTML Img tag found in message 
> k8I6JYet004116 from user at gmail.com
> 
> Sep 18 08:20:01 mail MailScanner[29197]: Saved entire message to 
> /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116
> 
> Sep 18 08:20:01 mail MailScanner[29197]: Saved infected "coworker when .nbs"
> to /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116
> 
> Sep 18 08:20:01 mail MailScanner[29197]: Saved infected "msg-29197-197.html"
> to /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116
> 
> 
> So for some reason MailScanner has interpreted part of a line in an html 
> attachment as being a separate attachment:
> 
> coworker when she asks<br>me if her feet are too ugly to wear sandals.&nbsp;
> 
> It doesn't look like anything serious, but a curious anomaly.  (Now if 
> only I could really understand your Perl code :-)

I think I have found the explanation - the full relevant line in the html
attachment is:

begin to look like Vienna sausages.<br><br>I will be brutally honest with 
my girlfriend/sister/coworker when she asks<br>me if her feet are too ugly 
to wear sandals.&nbsp; Someone has to tell her that<br>her toes are as 
long as my fingers and no sandal makes creepy feet look

It looks as if this has been interpreted as the start of a uuencoded
attachment (uuencoding starts with a "begin <permissions> filename" line).  
Perhaps that part of the code should check to see if the following lines
really do look like uuencoding.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list