filename checks = wrong filename report
Sylvain Phaneuf
Sylvain.Phaneuf at imsu.ox.ac.uk
Mon Jul 14 11:43:13 IST 2008
>>> On 11/07/2008 at 14:37, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>
> Sorry, but this is a *very* bad idea, and I'm not going to write it.
>
> I only ever put sanitised versions of filenames in any output produced
> by MailScanner. Otherwise some bright spark will work out how to do what
> I describe above. MailScanner has a very good reputation in the software
> security world, and I intend to keep it. :-)
Sorry Julian, I would never suggest to make MailScanner less secure. I understand what you are trying to do and I am 100% with you.
It is just the reporting text that is a "problem". I am going to modify the text as suggested by the others, but I would prefer not needing to say: "filename shown may not be the original one". The uncertainty increases confusion, etc...
As pointed out by shuttlebox, " it's a separate test in the filename rules and they all cause the same report". Could the tests use different reports? But again, this may be too painful to implement considering the small benifit (unconfused users).
Anyway, this is not a critic of you decisions! I am only trying to be constructive.
Regards,
Sylvain
More information about the MailScanner
mailing list