Am Dienstag, den 08.02.2005, 21:53 +1300 schrieb Jason Haar: > Werner Fleck wrote: > > >I attached an email showing the error. The critical lines are: > > > >Content-Type: application/octet-stream; > > name="=?koi8-r?B?NC5wZGYuZXhl?=" > >Content-Disposition: attachment; > > > > > This was discussed last year, and is a known issue. > > I ask for feedback/help from non-ASCII sites about just how things like > Windows really handle file extensions. e.g. assuming Chinese treats > *.EXE as executables, does it also treat some other (Chinese) extension > as an executable? How does the locale choice present in such encoded > filenames affect the extension? I just don't have enough background in > foreign languages to know the answers to this. >
I do not know for sure but I think file extensions of windows executables are the same all over the world. Actually the attachment name =?koi8-r?B?NC5wZGYuZXhl?= is displayed in my mail readers (evolution, notes and outlook) as "4.pdf.exe". > At its heart, such encoded filenames have to be "normalized" back to a > standard, predicable format with which you can ensure your > quarantine-attachments.txt file looks for. Typically we'd have to start > using other perl modules such as MIME::Base64 - which I am loathed to do > unless there is dire need (I just don't like opening more files than are > needed ;-) > As a first try I would just decode the attachment name disregarding the character set. The executable file extensions are all plain ascii so they should be decoded independant of the character set most time. Then if you only compare extensions and not whole fiel names you should be ok. > I asked for help some time last year... I'm still waiting... :-) > > PS: if you were seeing a particular file attachment getting through, you > could always specifically block it - e.g. for the filename above: > > Encoded filename: =?koi8-r?B?NC5wZGYuZXhl?= > Seen by Q-S as: __koi8-r_b_nc5wzgyuzxhl__ > > So create a quarantine-attachment.txt entry to block > "__koi8-r_b_nc5wzgyuzxhl__". Not nice, not comprehensive, but will work > for such viruses IF they don't change their filenames. Of course, > hopefully your AV will catch it. > Since quarantine-attachment.txt is not automatically updated I think this is not really an option. When I realize a new malicious file name it is too late because then the mail has already passed Q-S and got to my (and my users) mailbox. > I agree this is something that needs fixing, so feedback on > locale/encoding issues appreciated! ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Qmail-scanner-general mailing list Qmail-scanner-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
