Mailscanner filename check and report

[Rose, Bobby]

I've been using MailScanner for years and I seen this issue a couple
times before but just assumed it was a user mistake.  I've seen
sender.filename.report sends back a message with the wrong $filename
string.  What is sends back is a random string of characters.

The message says

One or more of the attachments (VAmRh3qo9P) are on the list of
unacceptable attachments for this site and will not have been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)

But in the maillogs, it has the real filename

Nov  8 10:09:33 eeyore MailScanner[25630]: Message lA8F96O2031926 from
155.139.50.90 (cadams2 at dmc.org) to med.wayne.edu is too big for spam
checks (2826228 > 200000 bytes)
Nov  8 10:10:23 eeyore MailScanner[25630]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/25630/lA8F96O2031926/winmail.dat
Nov  8 10:10:24 eeyore MailScanner[25630]: Message lA8F96O2031926 added
TNEF contents RHO Flip Education.lg.10.31.20071.ppt.doc,RHO Flip
Education.lg.10.31.20071.ppt
Nov  8 10:10:24 eeyore MailScanner[25630]: Message lA8F96O2031926 has
had TNEF winmail.dat removed
Nov  8 10:10:28 eeyore MailScanner[25630]: Filename Checks: Found
possible filename hiding (lA8F96O2031926 RHO Flip
Education.lg.10.31.20071.ppt.doc)
Nov  8 10:10:36 eeyore MailScanner[25630]: Logging message
lA8F96O2031926 to SQL
Nov  8 10:10:36 eeyore MailScanner[25756]: lA8F96O2031926: Logged to
MailWatch SQL

I'm not sure of the conditions that lead to this because it doesn't
always happen and if I test myself, the sender.filename.report message
is correct.  Anyone else seen this before?

-=B