Filename FP ?
UxBoD
uxbod at splatnix.net
Tue Oct 23 18:36:52 IST 2007
Hi Scott,
Yeah I guessed as much, just odd how it ends up properly formated in MailWatch. I have disabled the rule anyway as we are a Lotus Notes site.
Regards,
--[ UxBoD ]--
// PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
// Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
// Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
----- Original Message -----
From: "Scott Silva" <ssilva at sgvwater.com>
To: mailscanner at lists.mailscanner.info
Sent: Tuesday, October 23, 2007 5:24:45 PM (GMT) Europe/London
Subject: Re: Filename FP ?
on 10/23/2007 5:57 AM UxBoD spake the following:
> Hmmm, I have checked maillog and the actual filename which triggered the message was :-
>
> Filename Checks: Very long filename, possible OE attack (BCF9B7CF36C.A54BD =?iso-8859-1?Q?467-2007-Flexsys-Substitui=E7=E3o_de_L=E2mpadas=2C_Pusch_B?= =?iso-8859-1?Q?ottoun_e_Chave_de_2_Posi=E7=F5es_em_4_Pain=E9is_na_=E1rea_?= =?iso-8859-1?Q?do_Pastilhamento.doc?=)
>
> Is it down to the remote encoding that has caused this to happen ?
>
> Regards,
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
> ----- Original Message -----
> From: "UxBoD" <uxbod at splatnix.net>
> To: mailscanner at lists.mailscanner.info
> Sent: Tuesday, October 23, 2007 1:38:08 PM (GMT) Europe/London
> Subject: Filename FP ?
>
> Hi,
>
> I am running the latest release of MS and noticed this morning that a file to one of our uses got blocked with the following :-
>
> MailScanner: Very long filenames are good signs of attacks against Microsoft e-mail packages (467-2007-Flexs.doc)
>
>>From what I can see the old thing that triggers this is in filename.rules.conf which has :-
>
> deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
>
> Yet if run the following against that filename :-
>
> #!/usr/bin/perl
>
> $x = "467-2007-Flexs.doc";
> if ($x =~ /.{150,}/ ) { print "YES"; }
>
> It does not get triggered. Any ideas ? I have looked at SweepOther.pm and nothing jumps out at me :(
>
> Regards,
>
That filename does look like it would trigger the filename check. The log
usually shows the filename as mailscanner sees it.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list