filename checks = wrong filename report
Sylvain Phaneuf
Sylvain.Phaneuf at imsu.ox.ac.uk
Wed Jul 9 10:03:48 IST 2008
Hi all,
I have been alerted by a user that we're blocking attachments that they feel should be allowed through. Basically we want to block attachments with multiple extensions, and this works as designed. However, sometimes the report generated by MailScanner appears to contain the wrong file name, which in this case clearly has a single, perfectly acceptable extension.
Our maillog shows this:
----------------------------
Jul 4 09:25:56 mailscn1 MailScanner[30927]: Filename Checks: (m648PtwN031886 CNU0701SF00084(Sent200807041022)2.mail.pdf)
Jul 4 09:25:56 mailscn1 MailScanner[30927]: Other Checks: Found 1 problems
Jul 4 09:25:56 mailscn1 MailScanner[30927]: Virus Scanning completed at 237901 bytes per second
Jul 4 09:25:56 mailscn1 MailScanner[30927]: Saved entire message to /var/spool/MailScanner/quarantine/20080704/m648PtwN031886
Jul 4 09:25:56 mailscn1 MailScanner[30927]: Saved infected "CNU0701SF00084.pdf" to /var/spool/MailScanner/quarantine/20080704/m648PtwN031886
Jul 4 09:25:56 mailscn1 MailScanner[30927]: Cleaned: Delivered 1 cleaned messages
----------------------------
which is exactly what we want.
The mime message shows this:
----------------------------
Content-Type: application/pdf;
name="CNU0701SF00084(Sent200807041022)2.mail.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="CNU0701SF00084(Sent200807041022)2.mail.pdf"
----------------------------
But the user gets this in the report that is produced:
----------------------------
Warning: This message has had one or more attachments removed: CNU0701SF00084.pdf
The original e-mail attachment "CNU0701SF00084.pdf"
is on the list of unacceptable attachments and has been
replaced by this warning message by the IMSU MailScanner
E-Mail Protection Service.
On Fri Jul 4 09:25:55 2008 the virus scanner said:
Found possible filename hiding (CNU0701SF00084.pdf)
----------------------------
So my question is why is there a discrepancy between the filename reported by MailScanner to the user and that in maillog?
I looked at the MailScanner archives and something similar was reported last November, but the issue could not be reproduced apparently.
-----
from Rose, Bobby <brose at med.xxx>
date Sat, Nov 10, 2007 at 3:37 PM
subject Mailscanner filename check and report
-----
I could sent you the message if it can help diagnose the problem. The pdf contains personal information, so it is not appropriate to post it here...
Regards,
Sylvain
Our system:
MailScanner -v
Running on
Linux mailscn1 2.6.16.21-0.13-smp #1 SMP Mon Jul 17 17:22:44 UTC 2006 i686 i686 i386 GNU/Linux
This is SUSE LINUX 10.1 (i586)
This is Perl version 5.008008 (5.8.8)
This is MailScanner version 4.70.6
Module versions are:
...
removed
... I will add this if you think it can help - I hate long messages... (!!!)
--
============================================
Sylvain Phaneuf --- Systems Manager | phone : +44 (0)1865 221323
Information Management Services Unit - Medical Sciences Division
Oxford University | email : sylvain.phaneuf at imsu.ox.ac.uk
Room 3A25B John Radcliffe Hospital | fax : +44 (0) 1865 221322
Oxford, OX3 9DU, UK
============================================
More information about the MailScanner
mailing list