Blocking of Files with multiple extensions

Stephen Swaney steve.swaney at FSL.COM
Thu Jun 17 17:02:16 IST 2004


Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney at FSL.com


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of User Groups
> Sent: Thursday, June 17, 2004 11:45 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Blocking of Files with multiple extensions
>
> Hi All,
>
> Good Day...
>
> Please bear with us this is a long mail.
>
> We have noticed something very weird on our cobalt RaQ 550 server which
> has
> mailscanner-4.29.1-1 and  clamscan / ClamAV version 0.67 installed .
>
> When users send mails with attachments having multiple extensions some
> file
> are detected as virus  some are not, its not consistent.
>
> We did the following tests to verify this and got the results below.
>
> 1. Sent attachments having filename as  "file.123.pdf "
> In this message the numbers were used as characters between 2 dots. The
> mailscanner did not block this file.
>
> 2. Sent attachments having filename as   "file.abc.pdf"  & "file.abcd.pdf"
> In this message the alphabets were used  as characters between 2 dots. The
> mailscanner blocked both the files.
>
> 3. Sent attachments with filename as  "file.ab.pdf" & "file.a.pdf"
> The mailscanner did not block these files.
>
> The conclusion we reached is mailscanner blocks only those attachments
> which
> have 3 or 4 alphabets in between 2 dots .
>
> Does this make sense ?
>
> Can it be rectified? Is this a known Issue ?
>
> Our /etc/MailScanner/filename.rules.conf has the following line in it.
>
> Deny all other double file extensions. This catches any hidden filenames.
> deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
> hiding
>         Attempt to hide real filename extension
>
> What if we remove / comment this line totally ? Are we putting our
> customers
> at a great risk ?

My understanding that the risk is small, but you have several options.

1. You can have different rule sets for incoming and outgoing attachments.
Allow anything or specific files out but more rigorous checking of incoming
files.

2. If you know what specific extensions to pass, you can put an allow rule
before the deny rule. It's my understanding that the first rule matched
wins. For example if you have a customer that needs to receive Word Perfect
documents that have be opened and saved in MS Word. These documents have an
extension ending with .wpd.doc so adding:

allow           \.wdp\.doc$             Found WordPerfect - MS file
WordPerfect - MS file

above the:

deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
hiding  Attempt to hide real filename extension

Line would allow these files through.

Steve,

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney at FSL.com


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Fortress Systems Ltd.
www.fsl.com

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list