Double File Extensions

Jeremy Evans JeremyE at BSA.CA.GOV
Wed Jan 29 21:52:26 GMT 2003

In the process of testing, I found that a double extension can get through
if there is a space (or multiple spaces) between the first (fake) file
extension and the second (actual) file extension.  Since a space after the
fake file extension will probably be just as invisible as the actual file
extension, it could be a way to sneak past the filters while getting the
same nefarious effect.  I propose that by default the last line in
filename.rules.conf be changed to:

deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
hiding  Attempt to hide real filename extension

Jeremy Evans
Information Systems Analyst
California State Auditor
916-445-0255 phone
916-322-7801 fax

More information about the MailScanner mailing list