Blocking of Files with multiple extensions

User Groups usergroups at THEARGONCOMPANY.COM
Thu Jun 17 16:44:31 IST 2004


Hi All,

Good Day...

Please bear with us this is a long mail.

We have noticed something very weird on our cobalt RaQ 550 server which has
mailscanner-4.29.1-1 and  clamscan / ClamAV version 0.67 installed .

When users send mails with attachments having multiple extensions some file
are detected as virus  some are not, its not consistent.

We did the following tests to verify this and got the results below.

1. Sent attachments having filename as  "file.123.pdf "
In this message the numbers were used as characters between 2 dots. The
mailscanner did not block this file.

2. Sent attachments having filename as   "file.abc.pdf"  & "file.abcd.pdf"
In this message the alphabets were used  as characters between 2 dots. The
mailscanner blocked both the files.

3. Sent attachments with filename as  "file.ab.pdf" & "file.a.pdf"
The mailscanner did not block these files.

The conclusion we reached is mailscanner blocks only those attachments which
have 3 or 4 alphabets in between 2 dots .

Does this make sense ?

Can it be rectified? Is this a known Issue ?

Our /etc/MailScanner/filename.rules.conf has the following line in it.

Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding
        Attempt to hide real filename extension

What if we remove / comment this line totally ? Are we putting our customers
at a great risk ?

Regards,

The Argon Company

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list