[Mimedefang] name= and filename= different

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 9 Jul 2012, Joseph Brennan wrote:

> Mismatch noticed in Chinese-language spam:
>
> Content-Type: application/vnd.ms-excel;
> 	name=nfy.xls
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> 	filename=vmdgjctvi.xls
>
> I wonder whether name= and filename= being different are diagnostic of fakery
> or are just something one can expect in mail from normal software. I never 
> paid
> attention. Before I figure how to parse them out and log them to check-- has
> anyone gone down this path already?

I did not checked the implications of this mismatch, but I'm running a 
filename cleanup routine in MIMEDefang and had to adjust it to cope with 
this problem. I have seen legit mails, where one name is rubbish 
(consiting of two UTF-8 characters most of the time) and the other looks 
good. They are forwarded by Exchange servers, then a colleque sees 
rubbish, but I see a valid filename -> Thunderbird and Pine seem to use 
different headers to determine the filename ... .

My routine (see above), picks the name with an extension \.[[:alnum:]]+\z 
and the least non-Latin1-characters, if there are more than one name; 
sanitizes it and writes it back into the header for both names.

Regards,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBUAQQsv41+pMevzVSAQJiIgf9H04Owh7GgAUiHc2j5o7xnn+b7EB8/qsg
MjA0R5UZLM8/GTVSXbH1GIJ6gsWV2CKNk8XpySF1rLlinA7L6uMBDNiLk58lkwTI
iw7Y/l8L1JsWE5Va01kq2JrRqmXNIaGf0AWqC19LrbvEJ+9zwWu/X0DpENjiqbWh
lkmWsujwuWRkABu1lUmTNVHmRhxMQexAsGRGBcsbhwUCR0SqqcJEL4X19hPhQa+i
MNr6q124cjRCTcLBrx1d/7yXL2ry0MPiSBkQn/kkdmCC0/1y5N4I6iWVbBEkfqv/
DE3aKsTTKJymcjwGCLmH7++YnEOoPLE7mdJbK8qi+C4vv0GjAboPIQ==
=K/8Z
-----END PGP SIGNATURE-----