Filtering on filename extensions
Julian Field
jkf at ecs.soton.ac.uk
Tue Oct 23 16:26:23 IST 2001
At 16:19 23/10/2001, you wrote:
>One consequence of this decision is that attachments containing files
>such as "proposal.rtf.doc" are now being blocked with an "Attempt to
>hide real filename extension" warning message.
>
>This occurs whether or not the .DOC attachment carried a virus and was
>disinfected. I don't think it should have blocked simply because of the
>filenames rules.
>
>In particular I would expect a message with a repeated file extension to
>be delivered, provided it passed the virus scan phase, _if_ the last
>extension was ".DOC".
>
>In the light of the above I would like to ask:
>
> 1. Is it "safe" to modify filename.rules.conf in the way I have
>suggested?
Fairly.
> 2. If it is safe, what is the best way to modify the conf file to
>achieve delivery of .DOC files.
allow \.doc$ - -
Put that above the double-file-extension trap in filename.rules.conf.
Note: *Remember* to separate the fields with TAB characters, not just
spaces. Sorry about that, I need to put a better syntax checker into the
code that reads this file, to check for this.
> 3. Why are common file extensions like .DOC ignored altogether in the
> filename.rules.conf file?
It's just a sample, I hope people at least look at it before using it on
their site. Part of the reason the double-file-extension trap is there is
to serve as an example of what *can* be done. Mind you, I wouldn't be
without it here!
We find it does produce a fair false-positive rate. However, we only get
asked once or twice a month to actually send the recipient the file out of
the quarantine. Seems most people don't actually want the attachments they
receive anyway...
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list