Blocking custom file extension is not working

Mark Sapiro mark at msapiro.net
Sat Feb 6 04:39:49 UTC 2016


On 02/05/2016 01:56 AM, Pieter Goris wrote:
> 
> .dll are being blocked from any source but 1,
> http://www.emailsecuritycheck.net/index.html


Just for curiousity, I ran the
http://www.emailsecuritycheck.net/index.html tests to see what the mail
looks like. Several of the messages disguise the filename in various
ways. I found things such as


 name*0*="''attached%2E";
 name*1*="%62";
 name*2=at

This is an RFC2231 encoded parameter and decodes to

name=attached.bat

The fact that MailScanner doesn't recognize this encoded name as *.bat
can be considered a MailScanner bug.

 "name"=attached.bat

This is not compliant with RFC 2047. Parameter name are not allowed to
have quotes. Thus this should not be recognized as a name parameter.

 name=attached\
.bat

This was part of a Content-Type: header (and Content-Disposition: had a
similar filename= parameter)

The fact that the .bat part does not begin with white space means that
it is not a 'continuation' but is the start of a new header. The '\' is
meaningless in this context and the name is simply 'attached\'.

Based on these results, it is my opinion that this site is sending
bogus, non-compliant messages and telling you that if your scanner
doesn't stop them, you should buy theirs.

This does point out one issue in that MailScanner should recognize the
RFC 2231 encoded name and apparently doesn't, but the rest of it is
non-compliant ways of making things that look like bad names but in fact
are not valid names at all.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the MailScanner mailing list