Double File Extensions

Julian Field mailscanner at
Thu Jan 30 15:25:13 GMT 2003

I have always put that one near the bottom as there is no point in denying
*.jan.txt, *.feb.txt, etc..

At 15:19 30/01/2003, you wrote:
>I've just read the messagelabs artice refered to in your post, "Security
>Alert, ban very long filenames" and I wondered, in light of that, where
>you think the rule contained in this following post (from earlier this
>week) should go?  I'm toying with the idea of moving it above all the allow's
> > >In the process of testing, I found that a double extension
> > can get through
> > >if there is a space (or multiple spaces) between the first
> > (fake) file
> > >extension and the second (actual) file extension.  Since a
> > space after the
> > >fake file extension will probably be just as invisible as
> > the actual file
> > >extension, it could be a way to sneak past the filters while
> > getting the
> > >same nefarious effect.  I propose that by default the last line in
> > >filename.rules.conf be changed to:
> > >
> > >deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found
> > possible filename
> > >hiding  Attempt to hide real filename extension
> >
> > Good idea. It will be in the next release.
> >
> > --
> > Julian Field
> >
> > MailScanner thanks transtec Computers for their support
> >
>BMRB International
>+44 (0)20 8566 5000
>This message (and any attachment) is intended only for the
>recipient and may contain confidential and/or privileged
>material.  If you have received this in error, please contact the
>sender and delete this message immediately.  Disclosure, copying
>or other action taken in respect of this email or in
>reliance on it is prohibited.  BMRB International Limited
>accepts no liability in relation to any personal emails, or
>content of any email which does not directly relate to our

Julian Field
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list