CLSID in filenames
Peter Farrow
peter at farrows.org
Thu Mar 8 13:12:00 GMT 2012
I think this is a sender education issue.
P.
------------------
-----Original Message-----
From: Peter Bonivart <bonivart at opencsw.org>
Sender: mailscanner-bounces at lists.mailscanner.info
Date: Thu, 8 Mar 2012 13:48:48
To: MailScanner discussion<mailscanner at lists.mailscanner.info>
Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Subject: CLSID in filenames
I have some customers receiving files like this:
VENDET_83410_20120124_{396E4021-9322-4F70-9A2C-45ECD782B8A6}.pdf.
They trigger the default CLSID rule in filename.rules.conf:
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real
type Files containing CLSID's are trying to hide their real type
I googled it and found this:
http://www.juniper.net/security/auto/vulnerabilities/vuln2612.html.
According to that it's only dangerous if the CLSID is at the end of
the filename, in the example above a normal extension comes after the
CLSID. Would it be recommended to change the rule to something like
this?
# Deny filenames containing CLSID's
deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide its real
type Files containing CLSID's are trying to hide their real type
/peter
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by the Togethia MailScanner,
and is believed to be clean.
Scanner:local
More information about the MailScanner
mailing list