Curious case of the non-existent file attachment

Glenn Steen glenn.steen at gmail.com
Tue Sep 19 10:31:09 IST 2006 

On 19/09/06, Jim Holland <mailscanner at mango.zw> wrote:
> Hi Julian
>
> For information and possible comment.
>
> I am running:
>
> Linux mail.mango.zw 2.4.20-28.7 #1 Thu Dec 18 11:15:04 EST 2003 i686
> unknown
> This is Red Hat Linux release 7.1 (Seawolf)
> This is Perl version 5.006001 (5.6.1)
> This is MailScanner version 4.56.1
>
> with sendmail 8.13.8
>
> I noticed one message had the following file attachment removed:
>
>         "coworker when .nbs"
>
> because:
>
>         Very long filenames are good signs of attacks against Microsoft
> e-mail packages (coworker when .nbs)
>
> The message was delivered with the following standard warning:
>
> > The original e-mail attachment: "msg-29197-197.html"
> > is on the list of unacceptable attachments for this site and has been
> > replaced by this warning message.
> >
> > At Mon Sep 18 08:19:57 2006 the virus scanner said:
> >    MailScanner: Very long filenames are good signs of attacks against
> > Microsoft e-mail packages (coworker when .nbs)
>
> However there is no such file in the message.
>
> The entry in the maillog file includes:
>
> Sep 18 08:20:01 mail MailScanner[29197]: Filename Checks: Very long
> filename, possible OE attack (k8I6JYet004116 to look like Vienna
> sausages.<br><br>I will be brutally honest with my
> girlfriend/sister/coworker when she asks<br>me if her feet are too ugly to
> wear sandals.&nbsp; Someone has to tell her that<br>her toes are as long
> as my fingers and no sandal makes creepy feet look)
>
> Sep 18 08:20:01 mail MailScanner[29197]: HTML Img tag found in message
> k8I6JYet004116 from user at gmail.com
>
> Sep 18 08:20:01 mail MailScanner[29197]: Saved entire message to
> /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116
>
> Sep 18 08:20:01 mail MailScanner[29197]: Saved infected "coworker when .nbs"
> to /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116
>
> Sep 18 08:20:01 mail MailScanner[29197]: Saved infected "msg-29197-197.html"
> to /var/spool/MailScanner/quarantine/20060918/k8I6JYet004116
>
>
> So for some reason MailScanner has interpreted part of a line in an html
> attachment as being a separate attachment:
>
> coworker when she asks<br>me if her feet are too ugly to wear sandals.&nbsp;
>
> It doesn't look like anything serious, but a curious anomaly.  (Now if
> only I could really understand your Perl code :-)
>
You wouldn't happen to have the original around (Archiving perhaps?
Nah, didn't think so:-)? Mightn't this be a bungled spam... Where the
mime part is seriously out of whack?
Hard to tell without the original message:)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list