Filename FP ?

UxBoD uxbod at splatnix.net
Tue Oct 23 13:57:21 IST 2007 

Hmmm, I have checked maillog and the actual filename which triggered the message was :-

Filename Checks: Very long filename, possible OE attack (BCF9B7CF36C.A54BD =?iso-8859-1?Q?467-2007-Flexsys-Substitui=E7=E3o_de_L=E2mpadas=2C_Pusch_B?=    =?iso-8859-1?Q?ottoun_e_Chave_de_2_Posi=E7=F5es_em_4_Pain=E9is_na_=E1rea_?=     =?iso-8859-1?Q?do_Pastilhamento.doc?=) 

Is it down to the remote encoding that has caused this to happen ?

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net

----- Original Message -----
From: "UxBoD" <uxbod at splatnix.net>
To: mailscanner at lists.mailscanner.info
Sent: Tuesday, October 23, 2007 1:38:08 PM (GMT) Europe/London
Subject: Filename FP ?

Hi,

I am running the latest release of MS and noticed this morning that a file to one of our uses got blocked with the following :-

MailScanner: Very long filenames are good signs of attacks against Microsoft e-mail packages (467-2007-Flexs.doc)

>From what I can see the old thing that triggers this is in filename.rules.conf which has :-

deny   .{150,}                 Very long filename, possible OE attack                                          Very long filenames are good signs of attacks against Microsoft e-mail packages

Yet if run the following against that filename :-

#!/usr/bin/perl

$x = "467-2007-Flexs.doc";
if ($x =~ /.{150,}/ ) { print "YES"; }

It does not get triggered.  Any ideas ? I have looked at SweepOther.pm and nothing jumps out at me :(

Regards,

--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list