Mailscanner double filename extension
Mailscanner double filename extension
see viewtopic.php?f=5&t=1178
Junk mail with unwanted attachments have mostly blank characters between the filename extensions.
Either the rule is adjusted or it should be commented out.
Just a suggestion.
Junk mail with unwanted attachments have mostly blank characters between the filename extensions.
Either the rule is adjusted or it should be commented out.
Just a suggestion.
Re: Mailscanner double filename extension
It might be worth a little discussion.
the original intend of the double filename check from the mailscanner devs is to block off files like:
- file.zip.exe
- file.zip.com
- file.zip.scr
- file.docx.exe
etc..
This rule causes some problems for users, as the default also hits on items like:
- file.v01.docx
- file.zip.zip
- file.v01.zip
etc.
The current line says:
Might be an idea to change it so that only files with double file extensions that end with .exe, .com or .scr (or maybe even some more) are blocked.
So something like:
That will only check double file extensions that end with .exe, .scr or .bat or .com
Thoughts?
the original intend of the double filename check from the mailscanner devs is to block off files like:
- file.zip.exe
- file.zip.com
- file.zip.scr
- file.docx.exe
etc..
This rule causes some problems for users, as the default also hits on items like:
- file.v01.docx
- file.zip.zip
- file.v01.zip
etc.
The current line says:
Code: Select all
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
So something like:
Code: Select all
.[a-z][a-z0-9]{2,3}\s*\.(exe|scr|bat|com)$
Thoughts?
Version eFa 4.x now available!
Re: Mailscanner double filename extension
Not a bad idea. Handle all the "executable" extensions (there are many) and you've handled the main problem we are trying to solve.
Re: Mailscanner double filename extension
Okay,
lets create a list to try to identify them all:
- .exe
- .com
- .scr
- .vbs
- .bat
- .pif
- .msi
- .hta
- .vb
- .ws
- .wsf
- .ps1
I am sure i'm missing some here
lets create a list to try to identify them all:
- .exe
- .com
- .scr
- .vbs
- .bat
- .pif
- .msi
- .hta
- .vb
- .ws
- .wsf
- .ps1
I am sure i'm missing some here
Version eFa 4.x now available!
Re: Mailscanner double filename extension
How about .js as well, if this double-extension includes looking inside of non-password zip attachments.
We're getting slammed with .zip files containing malicious .doc.js malware downloader files, but EFA is letting a good portion of them right through. Not sure what to do about this.
We're getting slammed with .zip files containing malicious .doc.js malware downloader files, but EFA is letting a good portion of them right through. Not sure what to do about this.
Re: Mailscanner double filename extension
Thank you,darky83 wrote: So something like:That will only check double file extensions that end with .exe, .scr or .bat or .comCode: Select all
.[a-z][a-z0-9]{2,3}\s*\.(exe|scr|bat|com)$
Thoughts?
i disabled also the default line as i encounter problems with it,
but i dont see any reason to make line like this Darky, .exe .bat etc, will be deny from the first place..
no matter of the right side of the file name.
so it cant be "pretending", it can only take more throughput during the scanning process.
this is ment to be exactly what it is "Deny all other double file extensions", if you want to block extention deny it like:
Code: Select all
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Mailscanner double filename extension
Thx for info! Sounds like we just need to abandon double file name extension checking and focus on real extensions, imo.
Re: Mailscanner double filename extension
Not alway's
Some want to allow .exe etc.. so need to think about that also
Some want to allow .exe etc.. so need to think about that also
Version eFa 4.x now available!
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact: