Mailscanner filename check and report
MailScanner at ecs.soton.ac.uk
Sat Nov 10 16:18:16 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
I would be very interested if someone can give me a reproducible example
of when it goes wrong. Before I get that, there's unfortunately very
little I can do about this problem, sorry.
Rose, Bobby wrote:
> I've been using MailScanner for years and I seen this issue a couple
> times before but just assumed it was a user mistake. I've seen
> sender.filename.report sends back a message with the wrong $filename
> string. What is sends back is a random string of characters.
> The message says
> One or more of the attachments (VAmRh3qo9P) are on the list of
> unacceptable attachments for this site and will not have been delivered.
> Consider renaming the files to avoid this constraint.
> The virus detector said this about the message:
> Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)
> But in the maillogs, it has the real filename
> Nov 8 10:09:33 eeyore MailScanner: Message lA8F96O2031926 from
> 22.214.171.124 (cadams2 at dmc.org) to med.wayne.edu is too big for spam
> checks (2826228 > 200000 bytes)
> Nov 8 10:10:23 eeyore MailScanner: Expanding TNEF archive at
> Nov 8 10:10:24 eeyore MailScanner: Message lA8F96O2031926 added
> TNEF contents RHO Flip Education.lg.10.31.20071.ppt.doc,RHO Flip
> Nov 8 10:10:24 eeyore MailScanner: Message lA8F96O2031926 has
> had TNEF winmail.dat removed
> Nov 8 10:10:28 eeyore MailScanner: Filename Checks: Found
> possible filename hiding (lA8F96O2031926 RHO Flip
> Nov 8 10:10:36 eeyore MailScanner: Logging message
> lA8F96O2031926 to SQL
> Nov 8 10:10:36 eeyore MailScanner: lA8F96O2031926: Logged to
> MailWatch SQL
> I'm not sure of the conditions that lead to this because it doesn't
> always happen and if I test myself, the sender.filename.report message
> is correct. Anyone else seen this before?
Julian Field MEng CITP
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 867)
Comment: Use Thunderbird's Enigmail add-on to verify this message
-----END PGP SIGNATURE-----
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner