Hi guys,
our eFa 4.0.4 with MailScanner v5.5.1 is blocking file attachments with double extension ".xml.pdf" even though I modified the filename.rules.conf to allow it using:
allow \.xml\.pdf - -
The message details say:
Blocked File: Y
SPAM Allowlisted: Y
Any hints/ideas why that is?
Thanks
filename.xml.pdf - Allowlisted, Bad content [SOLVED]
filename.xml.pdf - Allowlisted, Bad content [SOLVED]
Last edited by SelfMan on 30 Nov 2024 09:06, edited 1 time in total.
Re: filename.xml.pdf - Allowlisted, Bad content
Hi,
maybe
is better?
Best regards
maybe
Code: Select all
# allow XMLs converted to PDFs
allow<tab>\.xml\.pdf$<tab>-allow XMLs converted to PDFs<tab>-
Best regards
Re: filename.xml.pdf - Allowlisted, Bad content
thanks for the reply _M_P,
I copy/pasted one of the original lines so the tab-formatted content was there the whole time.
I just didn't use the </> code formatting here in the forum. (in hinesight, I should have)
And I also did restart the MailScanner.
I copy/pasted one of the original lines so the tab-formatted content was there the whole time.
I just didn't use the </> code formatting here in the forum. (in hinesight, I should have)
And I also did restart the MailScanner.
Re: filename.xml.pdf - Allowlisted, Bad content
...ok for tabs (are there!), but with a closer look, you'll notice that my RegEx is not the same of your (you missed a $)...
Kind regards
Kind regards
Re: filename.xml.pdf - Allowlisted, Bad content
Ah, apologies! Brain fart! oh no Eyefart or something dumb.
Thanks for your patience. I've re-formated a couple lines that were added over time but the e-mails are still being filtered.
"The following e-mails were found to have: Bad Filename Detected"
Thanks for your patience. I've re-formated a couple lines that were added over time but the e-mails are still being filtered.
"The following e-mails were found to have: Bad Filename Detected"
Re: filename.xml.pdf - Allowlisted, Bad content
I've run the --lint test which found couple other entries with syntax errors that I fixed. (yeah, there were still spaces instead of tabs)
They are now fixed and there are no errors reported. Yet, the pdf file I renames to file.xml.pdf is still filtered out:
And it ended up in the quarantine.
I've also tried to add the entry to "filetype.rules.conf", but it had no effect.
They are now fixed and there are no errors reported. Yet, the pdf file I renames to file.xml.pdf is still filtered out:
Code: Select all
"The following e-mails were found to have: Bad Filename Detected"
"Report: MailScanner: Attempt to hide real filename extension (file.xml.pdf)"
I've also tried to add the entry to "filetype.rules.conf", but it had no effect.
Re: filename.xml.pdf - Allowlisted, Bad content
Ok, I found the "issue".
The sequence of rules is important.
The general rule for double extensions MUST be last in the sequence of rules.
When I moved the rule, all started to work.
The sequence of rules is important.
The general rule for double extensions MUST be last in the sequence of rules.
Code: Select all
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension