Anti-Phishing / Spear-Phishing script IMPORTANT update

Mark Sapiro mark at msapiro.net
Mon Sep 21 18:42:50 IST 2009 

Julian Field wrote:
>
>On 21/09/2009 16:18, Mark Sapiro wrote:
>> On Sun, Sep 20, 2009 at 09:44:25PM +0100, Jules Field wrote:
>>    
>>> I'm still intending to do a stable release of MailScanner on 1st
>>> October. So if there's anything important I need to know about the
>>> current version, please tell me in a reply to this message (to the list
>>> is fine, just I can then just check 1 thread).
>>>      
>>
>> There may be an issue with reporting of 'sanitized' file names with
>> multiple extensions. See the message at
>> http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html
>>
>>    
>That doesn't match up with what I just tried as a test case using the 
>"MakeNameSafe" code.
>It worked exactly as I intended.


I don't think the issue is with MakeNameSafe, at least if I im doing
the right thing. It appears that MakeNameSafe will take a name like
"Motion & Order.doc .doc" (with the leading file type character) and
make it into "MotionOrder.doc.doc" which is not what I'm seeing. Here
are a couple of log messages:

Sep 19 08:13:09 sbh16 MailScanner[18931]: Filename Checks: Found
possible filename hiding (5FCE86900C4.AD9A6 Motion & Order.doc   .doc)
Sep 19 08:13:09 sbh16 MailScanner[18931]: Saved entire message to
/var/spool/MailScanner/quarantine/20090919/5FCE86900C4.AD9A6
Sep 19 08:13:09 sbh16 MailScanner[18931]: Saved infected "Motion %%26
Order.doc" to
/var/spool/MailScanner/quarantine/20090919/5FCE86900C4.AD9A6

Here, the original attachment name was "Motion & Order.doc   .doc" and
the name saved in the quarantine and reported in the cleaned message
was "Motion %26 Order.doc" (the doubling of the % seems to have
occurred in syslog).

Something is changing '&' to '%26' and I am guessing that that is also
what drops the second ".doc"

>Note that it will vary its behaviour if you do 3 attachments in 1 
>message called similar names, as the resulting filenames have to be 
>unique in the "unpacking" directory.


That was not an issue in my tests. There was only one attachment.

Just as an experiment, I'm also attaching a file named "Motion &
Order.doc   .doc" to this message to see what happens (It's not a real
MS word document.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Motion & Order.doc   .doc
Type: application/msword
Size: 29 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/1516f4f8/MotionOrder.doc.doc

More information about the MailScanner mailing list