Filtering on filename extensions

Julian Field jkf at ecs.soton.ac.uk
Tue Oct 23 16:26:23 IST 2001


At 16:19 23/10/2001, you wrote:
>One consequence of this decision is that attachments containing files
>such as "proposal.rtf.doc" are now being blocked with an "Attempt to
>hide real filename extension" warning message.
>
>This occurs whether or not the .DOC attachment carried a virus and was
>disinfected. I don't think it should have blocked simply because of the
>filenames rules.
>
>In particular I would expect a message with a repeated file extension to
>be delivered, provided it passed the virus scan phase, _if_ the last
>extension was ".DOC".
>
>In the light of the above I would like to ask:
>
>  1. Is it "safe" to modify filename.rules.conf in the way I have
>suggested?

Fairly.

>  2. If it is safe, what is the best way to modify the conf file to
>achieve delivery of .DOC files.

allow   \.doc$                  -       -

Put that above the double-file-extension trap in filename.rules.conf.
Note: *Remember* to separate the fields with TAB characters, not just
spaces. Sorry about that, I need to put a better syntax checker into the
code that reads this file, to check for this.

>  3. Why are common file extensions like .DOC ignored altogether in the
>     filename.rules.conf file?

It's just a sample, I hope people at least look at it before using it on
their site. Part of the reason the double-file-extension trap is there is
to serve as an example of what *can* be done. Mind you, I wouldn't be
without it here!

We find it does produce a fair false-positive rate. However, we only get
asked once or twice a month to actually send the recipient the file out of
the quarantine. Seems most people don't actually want the attachments they
receive anyway...
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ



More information about the MailScanner mailing list