Mailscanner filename check and report

Greg Borders gborders at balanceconsult.com
Tue Nov 13 14:15:03 GMT 2007 



>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
> Field
> Sent: Saturday, November 10, 2007 11:18 AM
> To: MailScanner discussion
> Subject: Re: Mailscanner filename check and report
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I would be very interested if someone can give me a reproducible example
> of when it goes wrong. Before I get that, there's unfortunately very
> little I can do about this problem, sorry.
>
> Rose, Bobby wrote:
>   
>>  
>> I've been using MailScanner for years and I seen this issue a couple 
>> times before but just assumed it was a user mistake.  I've seen 
>> sender.filename.report sends back a message with the wrong $filename 
>> string.  What is sends back is a random string of characters.
>>
>> The message says
>>
>> One or more of the attachments (VAmRh3qo9P) are on the list of 
>> unacceptable attachments for this site and will not have been
>>     
> delivered.
>   
>> Consider renaming the files to avoid this constraint.
>>
>> The virus detector said this about the message:
>> Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)
>>
>> But in the maillogs, it has the real filename
>>     

>> I'm not sure of the conditions that lead to this because it doesn't 
>> always happen and if I test myself, the sender.filename.report message
>>     
>
>   
>> is correct.  Anyone else seen this before?
>>
>> -=B
>>
>>   
>>     
>
> Jules
>
> - --
> Julian Field MEng CITP
contents RHO Flip Education.lg.10.31.20071.ppt.doc

Dr_Vay_shopcart.aspx.htm


It might have something to do with the fact that the file names have 
multiple "." periods within the filename.  MailScanner's test might 
think that they are trying to hide a file behind a second extension.  
Especially bad for those with Windows with the view known extensions 
off.  An old virus trick was to call a file somthing like " 
mycutethingclickme.doc.exe" And the poor user would only see the 
"mycutethingclickme.doc".  I think Jule's test might be warning of 
that.  Check and see if all the files that are getting held back are 
multi-dotted. The two you reported certianly are.

Greg. Borders
Sysadmin "at large"

--

This email message and any document  accompanying it may contain information intended only for the person(s) named.
Any use, distribution,  copying or disclosure by another person is  strictly prohibited.
NOTICE  TO  PERSONS SUBJECT TO UNITED STATES TAXATION:
DISCLOSURE UNDER  TREASURY  CIRCULAR 230:
Any tax advice included in this written or electronic communication was not intended or written to be used,
and it cannot be used by the taxpayer, for the purpose of avoiding any penalties that may be imposed on the taxpayer
by any governmental taxing authority or agency.  
This written or electronic communication does not represent legal advice.
Persons in need of a legal opinion should seek competent counsel.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20071113/682f0fa3/attachment.html

More information about the MailScanner mailing list