Very long filenames
Mark Nienberg
lists at tippingmar.com
Fri Mar 12 23:38:40 GMT 2010
This is in filename.rules.conf
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack
Very long filenames are good signs of attacks
against Microsoft e-mail packages
And I got this postmaster report regarding an incoming message:
The following e-mails were found to have: Bad Filename Detected
Sender:notreally at some.com
IP Address: 33.117.222.88
Recipient: tome at something.com
Subject: The Subject was here
MessageID: o2CJ0b7T008444
Quarantine: /var/spool/MailScanner/quarantine/20100312/o2CJ0b7T008444
Report: MailScanner: Very long filenames are good signs of attacks against Microsoft e-mail packages (PA - 231 N. La.pdf)
And in the quarantine I see this:
[root at tesla o2CJ0b7T008444]# ll
total 5.5M
-rw------- 1 root root 4.8M Mar 12 11:00 dfo2CJ0b7T008444
-rw------- 1 root root 680k Mar 12 11:00 PA - 231 N. La.pdf
-rw------- 1 root root 2.1k Mar 12 11:00 qfo2CJ0b7T008444
So my question is why the message was quarantined when the attachment filename is only 18 characters long?
Thanks,
Mark Nienberg
More information about the MailScanner
mailing list