Why is this a hidden filename extension?
Mark Sapiro
mark at msapiro.net
Sat Sep 19 17:05:54 IST 2009
On Fri, Sep 18, 2009 at 11:43:08AM -0600, Robert Lopez wrote:
> Report: MailScanner: Attempt to hide real filename extension (Motion
> %26 Order.doc)
>
I just did some tests, and it appears if the original filename is
Motion & Order.doc .doc
with at least one space between the two '.doc's, it will (correctly)
match the "Attempt to hide real filename extension" rule, but
MailScanner will drop the spaces and the second .doc from the name.
This definitely has to do with the presence of the & in the name. Here
are a few test results:
Actual name Reported name
Motion & Order.doc .doc Motion %26 Order.doc
Motion&Order.doc .doc Motion%26Order.d.doc
Motion - Order.doc .doc Motion - Order.doc .doc
So it appears that in your case, there actually was a double extension,
and that in the process of 'html escaping' the name, the second extension
was dropped. If the entire message is in the quarantine (Quarantine Whole
Message = yes), you can see the original file name there.
--
Mark Sapiro mark at msapiro net The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list