filename rule problem
DNSAdmin
dnsadmin at 1BIGTHINK.COM
Mon Oct 27 20:13:33 GMT 2003
At 02:53 PM 10/27/2003 -0500, you wrote:
--SNIP--
>For reference the default rule is:
>deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>
>Which looks for any 3 or 4 character extension that starts with a letter,
>followed by any 3 character extension.
>
>1) double 3 char extensions are blocked, but I removed numerics from the
>second extension, I don't know of any executable formats used by viruses
>that have numbers in them, but know of several that are commonly done with
>lots of dots in the filename (ie: .mp3)
>
>deny \.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>
>
>2) I created several _specific_ 4 character extensions to look for a hidden
>3 character after. I was having problems with things like resumes sent to
>HR being named "kettler.matt.doc" and being caught, so I did not want a
>generic "any 4 character extension" rule. Of course, you could still have
>problems with 3 character names like "kettler.joe.doc", but those are less
>common. 4-letter is generally more problematic as it gets quite a variety
>of surnames as well, ie: "joseph.hill.doc". There's also not very many
>4-letter file extensions that are commonly used, so making a list of them
>is much easier than making a list of 3 char extensions.
>
>I specifically picked common 4 character extensions which are actually used
>and that a user might mistake as being something "safe" if they can't see
>the extra extension.
>
>deny \.text\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.jpeg\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.mpeg\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.pict\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.jiff\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.html\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.tiff\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.vrml\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.conf\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.diff\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.java\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.cert\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
>deny \.icon\s*\.[a-z]{3}$ Found possible filename
>hiding Attempt to hide real filename extension
Hey thanks, Matt! I like your solution. I think it is more correct and will
fit my needs as well as Chris, who had initially brought up this subject.
Thanks!
More information about the MailScanner
mailing list