Page 1 of 1
filename.xml.pdf - Allowlisted, Bad content [SOLVED]
Posted: 26 Nov 2024 13:58
by SelfMan
Hi guys,
our eFa 4.0.4 with MailScanner v5.5.1 is blocking file attachments with double extension ".xml.pdf" even though I modified the filename.rules.conf to allow it using:
allow \.xml\.pdf - -
The message details say:
Blocked File: Y
SPAM Allowlisted: Y
Any hints/ideas why that is?
Thanks
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 27 Nov 2024 16:28
by _M_P
Hi,
maybe
Code: Select all
# allow XMLs converted to PDFs
allow<tab>\.xml\.pdf$<tab>-allow XMLs converted to PDFs<tab>-
is better?
Best regards
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 27 Nov 2024 16:43
by SelfMan
thanks for the reply _M_P,
I copy/pasted one of the original lines so the tab-formatted content was there the whole time.
I just didn't use the </> code formatting here in the forum. (in hinesight, I should have)
And I also did restart the MailScanner.
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 27 Nov 2024 19:03
by _M_P
...ok for tabs (are there!), but with a closer look, you'll notice that my RegEx is not the same of your (you missed a $)...
Kind regards
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 27 Nov 2024 19:50
by SelfMan
Ah, apologies! Brain fart! oh no Eyefart or something dumb.
Thanks for your patience.
- efa-file-filter.png (12.31 KiB) Viewed 28902 times
I've re-formated a couple lines that were added over time but the e-mails are still being filtered.
"The following e-mails were found to have: Bad Filename Detected"
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 29 Nov 2024 18:31
by _M_P
Hi,
I'd try a
...
Best regards
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 30 Nov 2024 08:39
by SelfMan
I've run the --lint test which found couple other entries with syntax errors that I fixed. (yeah, there were still spaces instead of tabs)
They are now fixed and there are no errors reported. Yet, the pdf file I renames to file.xml.pdf is still filtered out:
Code: Select all
"The following e-mails were found to have: Bad Filename Detected"
"Report: MailScanner: Attempt to hide real filename extension (file.xml.pdf)"
And it ended up in the quarantine.
I've also tried to add the entry to "filetype.rules.conf", but it had no effect.
Re: filename.xml.pdf - Allowlisted, Bad content
Posted: 30 Nov 2024 09:06
by SelfMan
Ok, I found the "issue".
The sequence of rules is important.
The general rule for double extensions MUST be last in the sequence of rules.
Code: Select all
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
When I moved the rule, all started to work.