Mailscanner double filename extension

Request and discuss new features you would like to have.
Post Reply
DaN
Posts: 240
Joined: 19 Nov 2014 10:04
Location: Earth

Mailscanner double filename extension

Post by DaN »

see viewtopic.php?f=5&t=1178

Junk mail with unwanted attachments have mostly blank characters between the filename extensions.
Either the rule is adjusted or it should be commented out.

Just a suggestion.
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: Mailscanner double filename extension

Post by darky83 »

It might be worth a little discussion.

the original intend of the double filename check from the mailscanner devs is to block off files like:
- file.zip.exe
- file.zip.com
- file.zip.scr
- file.docx.exe
etc..

This rule causes some problems for users, as the default also hits on items like:
- file.v01.docx
- file.zip.zip
- file.v01.zip
etc.

The current line says:

Code: Select all

deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding                          Attempt to hide real filename extension
Might be an idea to change it so that only files with double file extensions that end with .exe, .com or .scr (or maybe even some more) are blocked.

So something like:

Code: Select all

.[a-z][a-z0-9]{2,3}\s*\.(exe|scr|bat|com)$
That will only check double file extensions that end with .exe, .scr or .bat or .com

Thoughts?
Version eFa 4.x now available!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Mailscanner double filename extension

Post by pdwalker »

Not a bad idea. Handle all the "executable" extensions (there are many) and you've handled the main problem we are trying to solve.
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: Mailscanner double filename extension

Post by darky83 »

Okay,

lets create a list to try to identify them all:

- .exe
- .com
- .scr
- .vbs
- .bat
- .pif
- .msi
- .hta
- .vb
- .ws
- .wsf
- .ps1

I am sure i'm missing some here :)
Version eFa 4.x now available!
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: Mailscanner double filename extension

Post by skoppes »

How about .js as well, if this double-extension includes looking inside of non-password zip attachments.

We're getting slammed with .zip files containing malicious .doc.js malware downloader files, but EFA is letting a good portion of them right through. Not sure what to do about this.
zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: Mailscanner double filename extension

Post by zohman »

darky83 wrote: So something like:

Code: Select all

.[a-z][a-z0-9]{2,3}\s*\.(exe|scr|bat|com)$
That will only check double file extensions that end with .exe, .scr or .bat or .com

Thoughts?
Thank you,

i disabled also the default line as i encounter problems with it,
but i dont see any reason to make line like this Darky, .exe .bat etc, will be deny from the first place..
no matter of the right side of the file name.
so it cant be "pretending", it can only take more throughput during the scanning process.
this is ment to be exactly what it is "Deny all other double file extensions", if you want to block extention deny it like:

Code: Select all

deny	\.exe$	Windows/DOS Executable           Executable DOS/Windows programs are dangerous in email
Great Day to you all.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Mailscanner double filename extension

Post by shawniverson »

Thx for info! Sounds like we just need to abandon double file name extension checking and focus on real extensions, imo.
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: Mailscanner double filename extension

Post by darky83 »

Not alway's

Some want to allow .exe etc.. so need to think about that also :)
Version eFa 4.x now available!
Post Reply