efa - possible filename hidding

Report bugs and workarounds
Post Reply
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

efa - possible filename hidding

Post by bostjanc »

Hi guys.

Strange inbound message.
If we forward message from gmail to our domain efa block that message with:
Aug 22 10:32:17 efa MailScanner[18142]: Filename Checks: Found possible filename hiding (CE243120054.A797A Filename.SOW.pdf)

But the "funny thing" is if we download that attachment on gmail to desktop the file name seems ok. And also file was uploaded to VirusTotal and it does not contain any viruses.
Why would EFA think filename hidding? Why would it put that nasty string in front of the filename "CE243120054.A797A "?
As I already said, saving file from gmail to desktop saves files normally without any strings in front of the filename...
Confused/amused
Phil
Posts: 11
Joined: 14 Jun 2016 20:25

Re: efa - possible filename hidding

Post by Phil »

Hello bostjanc,

I'm not entirely sure that it can be your problem but i faced something similar with email attachment.

I think its maybe because the name of the file contain multiple "." and that mean it could hide a dangerous file extension like an ".exe".
Example : "filename.exe.pdf". The system could think its a pdf but i could be a exe in reality. You can try to foward your attachment under an other name with no "." (replace then by an "-" instead) and see if Efa block them.

That was my problem for my part and hoping it can help you find yours.

Thanks,
Phil
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: efa - possible filename hidding

Post by pdwalker »

There is rule that looks for double extensions. For example, imagine if I sent you a file called "IAmATrojan.pdf.exe". Windows would helpfully hide the .exe extension and you'd see the .pdf and think the file is harmless and double click on it.

I found this rule to be more pain than it was worth, so I disabled it.

You can find the rule in /etc/MailScanner/filename.rules.conf

Search for "possible filename hiding" and comment out that line by adding a "#" character at the start of the line.

I think you may have to restart MailScanner.
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: efa - possible filename hidding

Post by bostjanc »

Thanks, you're da man texas ranger walker ;)
Will updating EFA with next version overwrite those changes?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: efa - possible filename hidding

Post by pdwalker »

Good question.

I don't believe so. I've upgraded a few times and I don't recall having to put those changes back in.

Also, efa is pretty good about backing everything up before upgrading.
bostjanc
Posts: 165
Joined: 01 Jun 2016 17:18

Re: efa - possible filename hidding

Post by bostjanc »

can you know by chance answer to my question on:


viewtopic.php?t=1006
Post Reply