Mailscanner filename check and report
brose at med.wayne.edu
Sat Nov 10 18:36:32 GMT 2007
I've been trying to reproduce but haven't, but the issue could probably
be explained if we knew were MailScanner's report mech is getting that
random string name.
I had another yesterday.
Report: Attempt to hide real filename extension (zTEEXqUDfZ)
but logs have
Nov 9 11:06:32 eeyore MailScanner: Expanding TNEF archive at
Nov 9 11:06:32 eeyore MailScanner: Message lA9G6Nc2009380 added
TNEF contents Dr_Vay_shopcart.aspx.htm
Nov 9 11:06:32 eeyore MailScanner: Message lA9G6Nc2009380 has had
TNEF winmail.dat removed
Nov 9 11:06:34 eeyore MailScanner: Filename Checks: Found
possible filename hiding (lA9G6Nc2009380 Dr_Vay_shopcart.aspx.htm)
Is that random string something generated from the tnef extraction?
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
Sent: Saturday, November 10, 2007 11:18 AM
To: MailScanner discussion
Subject: Re: Mailscanner filename check and report
-----BEGIN PGP SIGNED MESSAGE-----
I would be very interested if someone can give me a reproducible example
of when it goes wrong. Before I get that, there's unfortunately very
little I can do about this problem, sorry.
Rose, Bobby wrote:
> I've been using MailScanner for years and I seen this issue a couple
> times before but just assumed it was a user mistake. I've seen
> sender.filename.report sends back a message with the wrong $filename
> string. What is sends back is a random string of characters.
> The message says
> One or more of the attachments (VAmRh3qo9P) are on the list of
> unacceptable attachments for this site and will not have been
> Consider renaming the files to avoid this constraint.
> The virus detector said this about the message:
> Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)
> But in the maillogs, it has the real filename
> Nov 8 10:09:33 eeyore MailScanner: Message lA8F96O2031926 from
> 126.96.36.199 (cadams2 at dmc.org) to med.wayne.edu is too big for spam
> checks (2826228 > 200000 bytes) Nov 8 10:10:23 eeyore
> MailScanner: Expanding TNEF archive at
> Nov 8 10:10:24 eeyore MailScanner: Message lA8F96O2031926
> added TNEF contents RHO Flip Education.lg.10.31.20071.ppt.doc,RHO Flip
> Education.lg.10.31.20071.ppt Nov 8 10:10:24 eeyore
> MailScanner: Message lA8F96O2031926 has had TNEF winmail.dat
> removed Nov 8 10:10:28 eeyore MailScanner: Filename Checks:
> Found possible filename hiding (lA8F96O2031926 RHO Flip
> Nov 8 10:10:36 eeyore MailScanner: Logging message
> lA8F96O2031926 to SQL
> Nov 8 10:10:36 eeyore MailScanner: lA8F96O2031926: Logged to
> MailWatch SQL
> I'm not sure of the conditions that lead to this because it doesn't
> always happen and if I test myself, the sender.filename.report message
> is correct. Anyone else seen this before?
Julian Field MEng CITP
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all
your IT requirements visit www.transtec.co.uk
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 867)
Comment: Use Thunderbird's Enigmail add-on to verify this message
-----END PGP SIGNATURE-----
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
MailScanner mailing list
mailscanner at lists.mailscanner.info
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner