Why is this a hidden filename extension?

Robert Lopez rlopezcnm at gmail.com
Fri Sep 18 21:43:12 IST 2009 

On Fri, Sep 18, 2009 at 11:51 AM, Scott Silva <ssilva at sgvwater.com> wrote:
> on 9-18-2009 10:43 AM Robert Lopez spake the following:
>> Report: MailScanner: Attempt to hide real filename extension (Motion
>> %26 Order.doc)
>>
>> The above was a file name used by a college attorney and it the email
>> was blocked.
>> So it is a hot issue at the moment.
>>
>> The file command returns
>>
>> Microsoft Office Document Microsoft Word Document
>>
>> for the magic type so the content appears to match the extension.
>>
>>
>> I only see two deny rules in filename.rules.conf that seem to be
>> focused on filetype v extension:
>>
>> # Deny filenames containing CLSID's
>> deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type
>>                          Files containing  CLSID's are trying to hide
>> their real type
>>
>> # Deny all other double file extensions. This catches any hidden filenames.
>> deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible
>> filename hiding                          Attempt to hide real filename
>> extension
>>
>> and there is also the white space rule
>>
>> # Deny filenames with lots of contiguous white space in them.
>> deny    \s{10,}         Filename contains lots of white space
>>                                  A long gap in a name is often used to
>> hide part of it
>>
>> but this filename does not match any of them to my understanding.
>>
>> What rule might have been matched?
>>
> The report has sanitized filenames. That might not be the full filename. You
> need to look at the original message.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>

In this case the report and the quarantine file use exactly the same filename.

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

More information about the MailScanner mailing list