Filename.rules.conf - CLSID false positive

Martin Sapsed m.sapsed at BANGOR.AC.UK
Wed Apr 28 09:15:32 IST 2004


jburzenski at americanhm.com wrote:
> Has anyone else encountered any false positives with this filename rule?
>
> # Deny filenames ending with CLSID's
> deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real
> type                           Files containing  CLSID's are trying to
> hide their real type
>
>
> I have a vendor who sends PDF files that look like:
>
>         138139_{8B5AC3AF-BE17-4A06-BB98-790FA5C00C9B}.pdf
>
> I researched the CLSID vulnerability and it seems that it is only
> effective when tagged at the end of the filename, after the extension.
> I am considering revising this regex to something like:
>
> \{[a-hA-H0-9-]{25,}\}$
>
> Does anyone see any danger in this change?

Bearing in mind Julian's reply, if you only get PDF's like this, why not
put in an "allow {CLSID}.pdf$" line above Julian's "deny anything with a
CLSID in" line? Or use a ruleset to turn off filename checking for that
domain?

Cheers,

Martin

--
Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
For further info about MailScanner, please see the Most Asked
Questions at    http://www.mailscanner.biz/maq/     and the archives
at    http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list