Mailscanner filename check and report

Rose, Bobby brose at med.wayne.edu
Sat Nov 10 18:36:32 GMT 2007 

I've been trying to reproduce but haven't, but the issue could probably
be explained if we knew were MailScanner's report mech is getting that
random string name.

I had another yesterday.
    Report: Attempt to hide real filename extension (zTEEXqUDfZ)

but logs have 

Nov  9 11:06:32 eeyore MailScanner[6019]: Expanding TNEF archive at
/var/spool/MailScanner/incoming/6019/lA9G6Nc2009380/winmail.dat 
Nov  9 11:06:32 eeyore MailScanner[6019]: Message lA9G6Nc2009380 added
TNEF contents Dr_Vay_shopcart.aspx.htm 
Nov  9 11:06:32 eeyore MailScanner[6019]: Message lA9G6Nc2009380 has had
TNEF winmail.dat removed 
Nov  9 11:06:34 eeyore MailScanner[6019]: Filename Checks: Found
possible filename hiding (lA9G6Nc2009380 Dr_Vay_shopcart.aspx.htm) 

Is that random string something generated from the tnef extraction?


 

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
Field
Sent: Saturday, November 10, 2007 11:18 AM
To: MailScanner discussion
Subject: Re: Mailscanner filename check and report

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would be very interested if someone can give me a reproducible example
of when it goes wrong. Before I get that, there's unfortunately very
little I can do about this problem, sorry.

Rose, Bobby wrote:
>  
> I've been using MailScanner for years and I seen this issue a couple 
> times before but just assumed it was a user mistake.  I've seen 
> sender.filename.report sends back a message with the wrong $filename 
> string.  What is sends back is a random string of characters.
>
> The message says
>
> One or more of the attachments (VAmRh3qo9P) are on the list of 
> unacceptable attachments for this site and will not have been
delivered.
>
> Consider renaming the files to avoid this constraint.
>
> The virus detector said this about the message:
> Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)
>
> But in the maillogs, it has the real filename
>
> Nov  8 10:09:33 eeyore MailScanner[25630]: Message lA8F96O2031926 from

> 155.139.50.90 (cadams2 at dmc.org) to med.wayne.edu is too big for spam 
> checks (2826228 > 200000 bytes) Nov  8 10:10:23 eeyore 
> MailScanner[25630]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/25630/lA8F96O2031926/winmail.dat
> Nov  8 10:10:24 eeyore MailScanner[25630]: Message lA8F96O2031926 
> added TNEF contents RHO Flip Education.lg.10.31.20071.ppt.doc,RHO Flip

> Education.lg.10.31.20071.ppt Nov  8 10:10:24 eeyore 
> MailScanner[25630]: Message lA8F96O2031926 has had TNEF winmail.dat 
> removed Nov  8 10:10:28 eeyore MailScanner[25630]: Filename Checks: 
> Found possible filename hiding (lA8F96O2031926 RHO Flip
> Education.lg.10.31.20071.ppt.doc)
> Nov  8 10:10:36 eeyore MailScanner[25630]: Logging message
> lA8F96O2031926 to SQL
> Nov  8 10:10:36 eeyore MailScanner[25756]: lA8F96O2031926: Logged to 
> MailWatch SQL
>
> I'm not sure of the conditions that lead to this because it doesn't 
> always happen and if I test myself, the sender.filename.report message

> is correct.  Anyone else seen this before?
>
> -=B
>
>   

Jules

- --
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all
your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 867)
Comment: Use Thunderbird's Enigmail add-on to verify this message
Charset: ISO-8859-1

wj8DBQFHNdnJEfZZRxQVtlQRAld6AJ42jnVnrHomdy3pX7a6SqFtNMwL1QCggaTy
x3V3Bb6MSavDu4LCKFc4fCw=
=Bt9c
-----END PGP SIGNATURE-----

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list