Very long filenames

Mark Nienberg lists at tippingmar.com
Fri Mar 12 23:38:40 GMT 2010


This is in filename.rules.conf

# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny    .{150,}                 Very long filename, possible OE attack
                         Very long filenames are good signs of attacks 
against Microsoft e-mail packages



And I got this postmaster report regarding an incoming message:

The following e-mails were found to have: Bad Filename Detected

     Sender:notreally at some.com
IP Address: 33.117.222.88
  Recipient: tome at something.com
    Subject: The Subject was here
  MessageID: o2CJ0b7T008444
Quarantine: /var/spool/MailScanner/quarantine/20100312/o2CJ0b7T008444
     Report: MailScanner: Very long filenames are good signs of attacks against Microsoft e-mail packages (PA - 231 N. La.pdf)



And in the quarantine I see this:

[root at tesla o2CJ0b7T008444]# ll
total 5.5M
-rw------- 1 root root 4.8M Mar 12 11:00 dfo2CJ0b7T008444
-rw------- 1 root root 680k Mar 12 11:00 PA - 231 N. La.pdf
-rw------- 1 root root 2.1k Mar 12 11:00 qfo2CJ0b7T008444


So my question is why the message was quarantined when the attachment filename is only 18 characters long?

Thanks,

Mark Nienberg




More information about the MailScanner mailing list