Blocking of Files with multiple extensions

Julian Field mailscanner at ecs.soton.ac.uk
Thu Jun 17 17:29:42 IST 2004 

At 16:44 17/06/2004, you wrote:
>Hi All,
>
>Good Day...
>
>Please bear with us this is a long mail.
>
>We have noticed something very weird on our cobalt RaQ 550 server which has
>mailscanner-4.29.1-1 and  clamscan / ClamAV version 0.67 installed .
>
>When users send mails with attachments having multiple extensions some file
>are detected as virus  some are not, its not consistent.
>
>We did the following tests to verify this and got the results below.
>
>1. Sent attachments having filename as  "file.123.pdf "
>In this message the numbers were used as characters between 2 dots. The
>mailscanner did not block this file.
>
>2. Sent attachments having filename as   "file.abc.pdf"  & "file.abcd.pdf"
>In this message the alphabets were used  as characters between 2 dots. The
>mailscanner blocked both the files.
>
>3. Sent attachments with filename as  "file.ab.pdf" & "file.a.pdf"
>The mailscanner did not block these files.
>
>The conclusion we reached is mailscanner blocks only those attachments which
>have 3 or 4 alphabets in between 2 dots .
>
>Does this make sense ?

Yes, perfect sense. If you analyse the regular expression that is exactly
what it is supposed to do.

>Can it be rectified? Is this a known Issue ?

It triggers on
a dot,
followed by a letter,
followed by 2 or 3 letters or numbers,
followed by possibly some white space,
followed by a dot,
followed by 3 letters or numbers.

If you don't want it to do that, just change the expression. There are
plenty of good books and sites that will teach you about regular expressions.

>Deny all other double file extensions. This catches any hidden filenames.
>deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding
>         Attempt to hide real filename extension

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list