Double file extension?

Matt Kettler mkettler at EVI-INC.COM
Mon Sep 8 21:09:59 IST 2003


At 03:00 PM 9/8/2003 -0500, NTIN Page Guy wrote:
>This is the default double file extension finder in MailScanner
>
># Deny all other double file extensions. This catches any hidden filenames.
>deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding
>
>Why does it catch this file?
>
>filename: TIGER.schedule.gbc1.xls
>
>Sure the file has many periods in that shouldn't be there, but users
>are notorious for naming files stupidly.  But the file only has one
>three letter extension.
>
>Shouldn't this rule be looking for files that contain more than one 3
>letter extension.

No, it's not two 3-letter extensions... Read the regex closer. It's looking
for a dot, followed by 1 letter, followed by 2-3 alphanumerics, followed by
a dot, followed by 3 alphanumerics.

Thus the first extension can be 3-4 characters, but must start with a
letter and the second extension has to be 3 charachters.

This way it can catch .html.exe .mpeg.pif, etc, and winds up catching gbc1.xls.



More information about the MailScanner mailing list