Mailscanner filename check and report
Julian Field
MailScanner at ecs.soton.ac.uk
Sat Nov 10 16:18:16 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would be very interested if someone can give me a reproducible example
of when it goes wrong. Before I get that, there's unfortunately very
little I can do about this problem, sorry.
Rose, Bobby wrote:
>
> I've been using MailScanner for years and I seen this issue a couple
> times before but just assumed it was a user mistake. I've seen
> sender.filename.report sends back a message with the wrong $filename
> string. What is sends back is a random string of characters.
>
> The message says
>
> One or more of the attachments (VAmRh3qo9P) are on the list of
> unacceptable attachments for this site and will not have been delivered.
>
> Consider renaming the files to avoid this constraint.
>
> The virus detector said this about the message:
> Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)
>
> But in the maillogs, it has the real filename
>
> Nov 8 10:09:33 eeyore MailScanner[25630]: Message lA8F96O2031926 from
> 155.139.50.90 (cadams2 at dmc.org) to med.wayne.edu is too big for spam
> checks (2826228 > 200000 bytes)
> Nov 8 10:10:23 eeyore MailScanner[25630]: Expanding TNEF archive at
> /var/spool/MailScanner/incoming/25630/lA8F96O2031926/winmail.dat
> Nov 8 10:10:24 eeyore MailScanner[25630]: Message lA8F96O2031926 added
> TNEF contents RHO Flip Education.lg.10.31.20071.ppt.doc,RHO Flip
> Education.lg.10.31.20071.ppt
> Nov 8 10:10:24 eeyore MailScanner[25630]: Message lA8F96O2031926 has
> had TNEF winmail.dat removed
> Nov 8 10:10:28 eeyore MailScanner[25630]: Filename Checks: Found
> possible filename hiding (lA8F96O2031926 RHO Flip
> Education.lg.10.31.20071.ppt.doc)
> Nov 8 10:10:36 eeyore MailScanner[25630]: Logging message
> lA8F96O2031926 to SQL
> Nov 8 10:10:36 eeyore MailScanner[25756]: lA8F96O2031926: Logged to
> MailWatch SQL
>
> I'm not sure of the conditions that lead to this because it doesn't
> always happen and if I test myself, the sender.filename.report message
> is correct. Anyone else seen this before?
>
> -=B
>
>
Jules
- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 867)
Comment: Use Thunderbird's Enigmail add-on to verify this message
Charset: ISO-8859-1
wj8DBQFHNdnJEfZZRxQVtlQRAld6AJ42jnVnrHomdy3pX7a6SqFtNMwL1QCggaTy
x3V3Bb6MSavDu4LCKFc4fCw=
=Bt9c
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list