Why is this a hidden filename extension?

Scott Silva ssilva at sgvwater.com
Fri Sep 18 18:51:47 IST 2009


on 9-18-2009 10:43 AM Robert Lopez spake the following:
> Report: MailScanner: Attempt to hide real filename extension (Motion
> %26 Order.doc)
> 
> The above was a file name used by a college attorney and it the email
> was blocked.
> So it is a hot issue at the moment.
> 
> The file command returns
> 
> Microsoft Office Document Microsoft Word Document
> 
> for the magic type so the content appears to match the extension.
> 
> 
> I only see two deny rules in filename.rules.conf that seem to be
> focused on filetype v extension:
> 
> # Deny filenames containing CLSID's
> deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type
>                          Files containing  CLSID's are trying to hide
> their real type
> 
> # Deny all other double file extensions. This catches any hidden filenames.
> deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible
> filename hiding                          Attempt to hide real filename
> extension
> 
> and there is also the white space rule
> 
> # Deny filenames with lots of contiguous white space in them.
> deny    \s{10,}         Filename contains lots of white space
>                                  A long gap in a name is often used to
> hide part of it
> 
> but this filename does not match any of them to my understanding.
> 
> What rule might have been matched?
> 
The report has sanitized filenames. That might not be the full filename. You
need to look at the original message.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090918/25f7d9ca/signature.bin


More information about the MailScanner mailing list