Double File Extensions

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Thu Jan 30 15:19:08 GMT 2003

I've just read the messagelabs artice refered to in your post, "Security Alert, ban very long filenames" and I wondered, in light of that, where you think the rule contained in this following post (from earlier this week) should go?  I'm toying with the idea of moving it above all the allow's

> >In the process of testing, I found that a double extension 
> can get through
> >if there is a space (or multiple spaces) between the first 
> (fake) file
> >extension and the second (actual) file extension.  Since a 
> space after the
> >fake file extension will probably be just as invisible as 
> the actual file
> >extension, it could be a way to sneak past the filters while 
> getting the
> >same nefarious effect.  I propose that by default the last line in
> >filename.rules.conf be changed to:
> >
> >deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found 
> possible filename
> >hiding  Attempt to hide real filename extension
> Good idea. It will be in the next release.
> --
> Julian Field
> MailScanner thanks transtec Computers for their support

BMRB International
+44 (0)20 8566 5000
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 

More information about the MailScanner mailing list