Page 1 of 1
Mailscanner double filename extension
Posted: 10 Aug 2015 06:50
by DaN
see
viewtopic.php?f=5&t=1178
Junk mail with unwanted attachments have mostly blank characters between the filename extensions.
Either the rule is adjusted or it should be commented out.
Just a suggestion.
Re: Mailscanner double filename extension
Posted: 10 Aug 2015 19:31
by darky83
It might be worth a little discussion.
the original intend of the double filename check from the mailscanner devs is to block off files like:
- file.zip.exe
- file.zip.com
- file.zip.scr
- file.docx.exe
etc..
This rule causes some problems for users, as the default also hits on items like:
- file.v01.docx
- file.zip.zip
- file.v01.zip
etc.
The current line says:
Code: Select all
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
Might be an idea to change it so that only files with double file extensions that end with .exe, .com or .scr (or maybe even some more) are blocked.
So something like:
Code: Select all
.[a-z][a-z0-9]{2,3}\s*\.(exe|scr|bat|com)$
That will only check double file extensions that end with .exe, .scr or .bat or .com
Thoughts?
Re: Mailscanner double filename extension
Posted: 26 Aug 2015 07:59
by pdwalker
Not a bad idea. Handle all the "executable" extensions (there are many) and you've handled the main problem we are trying to solve.
Re: Mailscanner double filename extension
Posted: 29 Aug 2015 08:49
by darky83
Okay,
lets create a list to try to identify them all:
- .exe
- .com
- .scr
- .vbs
- .bat
- .pif
- .msi
- .hta
- .vb
- .ws
- .wsf
- .ps1
I am sure i'm missing some here
Re: Mailscanner double filename extension
Posted: 01 Sep 2015 07:29
by DaN
- .cmd
Re: Mailscanner double filename extension
Posted: 14 Sep 2015 16:54
by skoppes
How about .js as well, if this double-extension includes looking inside of non-password zip attachments.
We're getting slammed with .zip files containing malicious .doc.js malware downloader files, but EFA is letting a good portion of them right through. Not sure what to do about this.
Re: Mailscanner double filename extension
Posted: 16 Sep 2015 09:28
by zohman
darky83 wrote:
So something like:
Code: Select all
.[a-z][a-z0-9]{2,3}\s*\.(exe|scr|bat|com)$
That will only check double file extensions that end with .exe, .scr or .bat or .com
Thoughts?
Thank you,
i disabled also the default line as i encounter problems with it,
but i dont see any reason to make line like this Darky, .exe .bat etc, will be deny from the first place..
no matter of the right side of the file name.
so it cant be "pretending", it can only take more throughput during the scanning process.
this is ment to be exactly what it is "Deny all other double file extensions", if you want to block extention deny it like:
Code: Select all
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
Great Day to you all.
Re: Mailscanner double filename extension
Posted: 19 Sep 2015 10:54
by shawniverson
Thx for info! Sounds like we just need to abandon double file name extension checking and focus on real extensions, imo.
Re: Mailscanner double filename extension
Posted: 23 Sep 2015 16:54
by darky83
Not alway's
Some want to allow .exe etc.. so need to think about that also
Re: Mailscanner double filename extension
Posted: 26 Sep 2015 12:59
by shawniverson