Mailscanner filename check and report
gborders at balanceconsult.com
Tue Nov 13 14:15:03 GMT 2007
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
> Sent: Saturday, November 10, 2007 11:18 AM
> To: MailScanner discussion
> Subject: Re: Mailscanner filename check and report
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I would be very interested if someone can give me a reproducible example
> of when it goes wrong. Before I get that, there's unfortunately very
> little I can do about this problem, sorry.
> Rose, Bobby wrote:
>> I've been using MailScanner for years and I seen this issue a couple
>> times before but just assumed it was a user mistake. I've seen
>> sender.filename.report sends back a message with the wrong $filename
>> string. What is sends back is a random string of characters.
>> The message says
>> One or more of the attachments (VAmRh3qo9P) are on the list of
>> unacceptable attachments for this site and will not have been
>> Consider renaming the files to avoid this constraint.
>> The virus detector said this about the message:
>> Report: Report: Attempt to hide real filename extension (VAmRh3qo9P)
>> But in the maillogs, it has the real filename
>> I'm not sure of the conditions that lead to this because it doesn't
>> always happen and if I test myself, the sender.filename.report message
>> is correct. Anyone else seen this before?
> - --
> Julian Field MEng CITP
contents RHO Flip Education.lg.10.31.20071.ppt.doc
It might have something to do with the fact that the file names have
multiple "." periods within the filename. MailScanner's test might
think that they are trying to hide a file behind a second extension.
Especially bad for those with Windows with the view known extensions
off. An old virus trick was to call a file somthing like "
mycutethingclickme.doc.exe" And the poor user would only see the
"mycutethingclickme.doc". I think Jule's test might be warning of
that. Check and see if all the files that are getting held back are
multi-dotted. The two you reported certianly are.
Sysadmin "at large"
This email message and any document accompanying it may contain information intended only for the person(s) named.
Any use, distribution, copying or disclosure by another person is strictly prohibited.
NOTICE TO PERSONS SUBJECT TO UNITED STATES TAXATION:
DISCLOSURE UNDER TREASURY CIRCULAR 230:
Any tax advice included in this written or electronic communication was not intended or written to be used,
and it cannot be used by the taxpayer, for the purpose of avoiding any penalties that may be imposed on the taxpayer
by any governmental taxing authority or agency.
This written or electronic communication does not represent legal advice.
Persons in need of a legal opinion should seek competent counsel.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the MailScanner