Blocking custom file extension is not working
Mark Sapiro
mark at msapiro.net
Sat Feb 6 04:39:49 UTC 2016
On 02/05/2016 01:56 AM, Pieter Goris wrote:
>
> .dll are being blocked from any source but 1,
> http://www.emailsecuritycheck.net/index.html
Just for curiousity, I ran the
http://www.emailsecuritycheck.net/index.html tests to see what the mail
looks like. Several of the messages disguise the filename in various
ways. I found things such as
name*0*="''attached%2E";
name*1*="%62";
name*2=at
This is an RFC2231 encoded parameter and decodes to
name=attached.bat
The fact that MailScanner doesn't recognize this encoded name as *.bat
can be considered a MailScanner bug.
"name"=attached.bat
This is not compliant with RFC 2047. Parameter name are not allowed to
have quotes. Thus this should not be recognized as a name parameter.
name=attached\
.bat
This was part of a Content-Type: header (and Content-Disposition: had a
similar filename= parameter)
The fact that the .bat part does not begin with white space means that
it is not a 'continuation' but is the start of a new header. The '\' is
meaningless in this context and the name is simply 'attached\'.
Based on these results, it is my opinion that this site is sending
bogus, non-compliant messages and telling you that if your scanner
doesn't stop them, you should buy theirs.
This does point out one issue in that MailScanner should recognize the
RFC 2231 encoded name and apparently doesn't, but the rest of it is
non-compliant ways of making things that look like bad names but in fact
are not valid names at all.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list