Very long filenames?

[Julian Field]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ken Goods wrote:
> I received this notification this morning. 
>
> Subject: Re: 
> MessageID: l5TDre77020228
> Quarantine: /var/spool/MailScanner/quarantine/20070629/l5TDre77020228
> Report: MailScanner: Very long filenames are good signs of attacks against
> Microsoft e-mail packages (TCA2AR759CAY3E.jpg)
>
> I was just wondering how long is a *long* filename? This doesn't appear to
> be excessive as we commonly get Word documents that are much longer. I
> looked around but couldn't find the upper limit that triggers this rule.
>   
The version you see in reports is the sanitised version of the filename. 
I don't ever output the original filename without sanitising it first. 
The original filename would have been a lot longer than this.

The original filename could be used to attack either MailScanner or your 
email client. Imagine what happened if you had a long filename that 
contained MIME boundaries and headers in it? You could embed an entire 
virus in the filename of an attachment if you got it just right. That 
would be Very Bad.

> Thanks,
> Ken
>
> Ken Goods
> Network Administrator
> CropUSA Insurance, Inc.
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGhSWqEfZZRxQVtlQRAnjuAKDjMj6/2Mi82Eo91q3lUaq5OfWEQQCgxlgq
QHbvQ6+AyInFCLxlVsCV5sc=
=xVco
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk