[esd-l] RE: Inline attachments.

John D. Hardin jhardin at impsec.org
Tue Jan 31 12:15:11 PST 2006 

On Tue, 31 Jan 2006, Smart, Dan wrote:

> So something upstream is mangling the attachments?

Unless you have modified your copy of the sanitizer, that's the most
likely explanation.

The sanitizer mangles filenames in the MANGLE_EXTENSIONS list by
inserting {random number}DEFANGED- into the existing extension.

It also protects against certain filename attacks:

It decodes encoded plain characters.

It drops trailing whitespace and periods.

If shortens excessively long filenames (> 128 characters), first by
collapsing runs of whitespace, then by chopping chunks out of the
middle until the filename is < 120 characters long.

None of these operations would result in a change like
MARKETING_MUMBO_JUMBO.PPT -> ATT12434.DAT

> You think MessageLabs could be doing it when it Virus Scans
> attachments (if you care to venture a guess)?

Maybe. The messagelabs support page would be the next logical place to
look. I'm sure that this is a FAQ if they are.

> Our CIO is the one getting mangled attachments, so its one of
> those drop everything type events.

Eep. That's always how it goes, innit?

Messagelabs probably has whitelist capabilities. Try temporarily
whitelisting that sender at messagelabs and see if the problem stops.

Check the sanitizer logs - it should be logging each attachment
filename that it sees. If you see it logging those filenames, they are
coming in that way on the original message.

> > -----Original Message-----
> > From: John D. Hardin [mailto:jhardin at impsec.org] 
> > Sent: Tuesday, January 31, 2006 12:41 PM
> 
> > The sanitizer would not be the cause. The filename mangling 
> > does not lose any of the original filename information, it 
> > only adds to it.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
                                        -- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
 12 days until Abraham Lincoln's 197th Birthday

More information about the esd-l mailing list