Blocking of Files with multiple extensions

Julian Field mailscanner at
Thu Jun 17 17:29:42 IST 2004

At 16:44 17/06/2004, you wrote:
>Hi All,
>Good Day...
>Please bear with us this is a long mail.
>We have noticed something very weird on our cobalt RaQ 550 server which has
>mailscanner-4.29.1-1 and  clamscan / ClamAV version 0.67 installed .
>When users send mails with attachments having multiple extensions some file
>are detected as virus  some are not, its not consistent.
>We did the following tests to verify this and got the results below.
>1. Sent attachments having filename as  "file.123.pdf "
>In this message the numbers were used as characters between 2 dots. The
>mailscanner did not block this file.
>2. Sent attachments having filename as   ""  & "file.abcd.pdf"
>In this message the alphabets were used  as characters between 2 dots. The
>mailscanner blocked both the files.
>3. Sent attachments with filename as  "file.ab.pdf" & "file.a.pdf"
>The mailscanner did not block these files.
>The conclusion we reached is mailscanner blocks only those attachments which
>have 3 or 4 alphabets in between 2 dots .
>Does this make sense ?

Yes, perfect sense. If you analyse the regular expression that is exactly
what it is supposed to do.

>Can it be rectified? Is this a known Issue ?

It triggers on
a dot,
followed by a letter,
followed by 2 or 3 letters or numbers,
followed by possibly some white space,
followed by a dot,
followed by 3 letters or numbers.

If you don't want it to do that, just change the expression. There are
plenty of good books and sites that will teach you about regular expressions.

>Deny all other double file extensions. This catches any hidden filenames.
>deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding
>         Attempt to hide real filename extension

Julian Field
Professional Support Services at
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at
Before posting, please see the Most Asked Questions at     and the archives at

More information about the MailScanner mailing list