Hi guys.
Strange inbound message.
If we forward message from gmail to our domain efa block that message with:
Aug 22 10:32:17 efa MailScanner[18142]: Filename Checks: Found possible filename hiding (CE243120054.A797A Filename.SOW.pdf)
But the "funny thing" is if we download that attachment on gmail to desktop the file name seems ok. And also file was uploaded to VirusTotal and it does not contain any viruses.
Why would EFA think filename hidding? Why would it put that nasty string in front of the filename "CE243120054.A797A "?
As I already said, saving file from gmail to desktop saves files normally without any strings in front of the filename...
Confused/amused
efa - possible filename hidding
Re: efa - possible filename hidding
Hello bostjanc,
I'm not entirely sure that it can be your problem but i faced something similar with email attachment.
I think its maybe because the name of the file contain multiple "." and that mean it could hide a dangerous file extension like an ".exe".
Example : "filename.exe.pdf". The system could think its a pdf but i could be a exe in reality. You can try to foward your attachment under an other name with no "." (replace then by an "-" instead) and see if Efa block them.
That was my problem for my part and hoping it can help you find yours.
Thanks,
Phil
I'm not entirely sure that it can be your problem but i faced something similar with email attachment.
I think its maybe because the name of the file contain multiple "." and that mean it could hide a dangerous file extension like an ".exe".
Example : "filename.exe.pdf". The system could think its a pdf but i could be a exe in reality. You can try to foward your attachment under an other name with no "." (replace then by an "-" instead) and see if Efa block them.
That was my problem for my part and hoping it can help you find yours.
Thanks,
Phil
Re: efa - possible filename hidding
There is rule that looks for double extensions. For example, imagine if I sent you a file called "IAmATrojan.pdf.exe". Windows would helpfully hide the .exe extension and you'd see the .pdf and think the file is harmless and double click on it.
I found this rule to be more pain than it was worth, so I disabled it.
You can find the rule in /etc/MailScanner/filename.rules.conf
Search for "possible filename hiding" and comment out that line by adding a "#" character at the start of the line.
I think you may have to restart MailScanner.
I found this rule to be more pain than it was worth, so I disabled it.
You can find the rule in /etc/MailScanner/filename.rules.conf
Search for "possible filename hiding" and comment out that line by adding a "#" character at the start of the line.
I think you may have to restart MailScanner.
Re: efa - possible filename hidding
Thanks, you're da man texas ranger walker
Will updating EFA with next version overwrite those changes?
Will updating EFA with next version overwrite those changes?
Re: efa - possible filename hidding
Good question.
I don't believe so. I've upgraded a few times and I don't recall having to put those changes back in.
Also, efa is pretty good about backing everything up before upgrading.
I don't believe so. I've upgraded a few times and I don't recall having to put those changes back in.
Also, efa is pretty good about backing everything up before upgrading.