filename rules

Jan Agermose ja at conviator.com
Tue May 5 16:08:48 IST 2009


Jan Agermose a écrit :
>
> hi
>
>  
>
> we see a few messages like this:
>
>  
>
> The virus detector said this about the message:
> Report: Report: MailScanner: Attempt to hide real filename extension 
> (invoice 657 L%F8.pdf)
>
>  
>
>  
>
> because people are using the dainsh chars æøå in the filenames - Im 
> guessing other languages have the samme issues when people are 
> attaching documents that are using special hars not in
>
>  
>
> \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$
>
>  
>
> I would like to say "yea but its simply not allowed in the mail 
> standard" - but im not even sure if its true or if its just an old 
> rule not updated now that its 2009 and unicode or what ever.
>
>  
>
> I dont actually see how it would hit this rule as there is only one \. 
> in the filename and the rule seams to need two \. to hit... But I dont 
> find any other rules having the response "Attempt to hide real 
> filename extension".
>
>  
>
>  
>
Jan,

I doubt this is the rule that matched (unless the filename you provided 
isn't complete because it was sanitized).  You are right about the 2 \. 
This rule wants to deny files such as filename.pdf.exe.  I disabled this 
rule a long while ago. I have never permitted EXE|COM|REG|BAT and many 
other dangerous file extensions anyways.

Maybe the filetype rules got involved instead?

Denis

-- 
   _
HI

I was looking at the mail "on disk" and found what might be the real reason why it actually is this rule. Just strange that even mailwatch shows the name of the attachment different than what it seams to really be. Part of the maildump looks like this and this has clearly ".xls.pdf" what would be stopped by the rule. Im just thinking if this rule will actually help anything or just make to much trouble so I should be removed... there are other rules that will take care of .exe and so on and also based on application type - that must be secure or? 

--Apple-Mail-6--942219872
Content-Disposition: inline;
        filename*=ISO-8859-1''invoice%20657%20L%F8bekompagniet.xls.pdf
Content-Type: application/pdf;
        x-unix-mode=0644;
        name="=?ISO-8859-1?Q?invoice_657_L=F8bekompagniet.xls.pdf?="
Content-Transfer-Encoding: base64

 


More information about the MailScanner mailing list