[Mimedefang] Erroneous bad-filename detection in mimedefang-filter
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Sat Sep 13 04:30:01 EDT 2003
I forwarded the E-mail message shown below from my home PC
to my mailbox at work, but the message/rfc822 part
unfortunately got stripped away by MimeDefang.
The server logged this as:
Sep 13 10:00:31 servfys mimedefang.pl[14427]: MDLOG,h8D80VFj018656,
bad_filename,Rejected sshd network connection from host
server2.gimnet.com (212.131.211.131),message/rfc822,
<ole.h.nielsen at fysik.dtu.dk>,<ole.h.nielsen at fysik.dtu.dk>,
[Fwd: Rejected sshd network connection from host
server2.gimnet.com (212.131.211.131)]
It seems that this happens in mimedefang-filter in
filter_multipart(). My filter_bad_filename() does
strip dangereous MS-Windows extensions, but why does
it think that the filename "Rejected sshd network connection from host
server2.gimnet.com (212.131.211.131)" is a dangerous filename ?
It would seem that the regular expression matching in
filter_bad_filename() is at play here, but I can't figure it out.
I've tried to forward other E-mail messages and they pass
through without problems. There's something about this
particular message that makes mimedefang-filter erroneously
decide that it has a bad filename. Can anyone suggest
a fix to this ?
Ole Holm Nielsen
Department of Physics
Technical University of Denmark
Copy of the message from Mozilla's Sent folder:
-----------------------------------------------
Content-Type: multipart/mixed;
boundary="------------060805040306010209010206"
This is a multi-part message in MIME format.
--------------060805040306010209010206
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--------------060805040306010209010206
Content-Type: message/rfc822;
name="Rejected sshd network connection from host server2.gimnet.com
(212.131.211.131)"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Rejected sshd network connection from host
server2.gimnet.com (212.131.211.131)"
Return-Path: <root at servfys.fysik.dtu.dk>
Received: from serv309.fysik.dtu.dk (serv309.fysik.dtu.dk [130.225.87.2])
by servfys.fysik.dtu.dk
(8.12.8/8.12.8/NJABL+ORDB+Spamhaus+SpamCop+access) with ESMTP id
h8D6bRFj018109
for <ohnielse at fysik.dtu.dk>; Sat, 13 Sep 2003 08:37:27 +0200
From: root <root at servfys.fysik.dtu.dk>
Received: (from root at localhost)
by serv309.fysik.dtu.dk (8.11.6/8.11.2) id h8D6bQG07571
for ohnielse at fysik.dtu.dk; Sat, 13 Sep 2003 08:37:26 +0200
Date: Sat, 13 Sep 2003 08:37:26 +0200
Message-Id: <200309130637.h8D6bQG07571 at serv309.fysik.dtu.dk>
To: ohnielse at fysik.dtu.dk
Subject: Rejected sshd network connection from host server2.gimnet.com
(212.131.211.131)
X-Scanned-By: CanIt (www . canit . ca)
Security notice from host serv309.fysik.dtu.dk
--------------060805040306010209010206--
FYI, this was a security alert: 212.131.211.131 is a hacked Windows
server attacking our network.
More information about the MIMEDefang
mailing list