Why is this a hidden filename extension?

Robert Lopez rlopezcnm at gmail.com
Fri Sep 18 18:43:08 IST 2009

Report: MailScanner: Attempt to hide real filename extension (Motion
%26 Order.doc)

The above was a file name used by a college attorney and it the email
was blocked.
So it is a hot issue at the moment.

The file command returns

Microsoft Office Document Microsoft Word Document

for the magic type so the content appears to match the extension.

I only see two deny rules in filename.rules.conf that seem to be
focused on filetype v extension:

# Deny filenames containing CLSID's
deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type
                         Files containing  CLSID's are trying to hide
their real type

# Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible
filename hiding                          Attempt to hide real filename

and there is also the white space rule

# Deny filenames with lots of contiguous white space in them.
deny    \s{10,}         Filename contains lots of white space
                                 A long gap in a name is often used to
hide part of it

but this filename does not match any of them to my understanding.

What rule might have been matched?

Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

More information about the MailScanner mailing list