Question regarding Filename Rules

Julian Field MailScanner at ecs.soton.ac.uk
Tue Apr 19 17:11:42 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

As a point of historical note, the only reason I ever put the
double-extension trap rule in there was an example of a more advanced
type of rule and what could be achieved with it. Every mail gateway
under the sun (even Microsoft's!) allow simple blocking by filename
extension. I wanted to demonstrate that, with MailScanner, you could go
way beyond such simple rules and could implement something that was
potentially very useful. And all in 1 rule.

Alex Neuman van der Hans wrote:

>Excellent points...
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of Matt Kettler
>Sent: Tuesday, April 19, 2005 10:31 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Question regarding Filename Rules
>
>Rob Poe wrote:
>
>
>
>>I have a client who is requesting that I remove the double extension rule.
>>
>>
>They are getting files (jokes, at that!) with .htm.html extensions (along
>with other things) and they want the double extension rule removed.
>
>
>>I think this is a bad idea, can anyone give me a better argument than
>>
>>
>"Because I said" to leave it in place?
>
>
>>What are the chances of them being MORE at risk for infection?
>>
>>
>>
>>
>
>Quite frankly, I've got several exceptions to the double-extension rule for
>any "two of same kind" extension cases.
>
>Certainly there's nothing that hides a true file type about .htm.html, or
>about .jpg.jpeg, etc.
>
>I've also got allowances for conversion between extensions that are of the
>same threat level if I allow said file types. ie: .doc.rtf. If you allow
>.rtf files, and .doc files, there's nothing fishy about a .doc.rtf, other
>than to imply it was run through a conversion tool. I liberally allow many
>extensions MailScanner does not allow by default, so these are acceptable
>here if they pass virus scan.
>
> I lean mostly on my 3 virus scanners to pick up viruses, and not on my
>filename rules, so my rules are pretty liberal.
>
>A sampling of my rules:
>
># allow document format conversions. .wps.doc, .wps.rtf, etc # in these
>cases the first extension is of the same threat class as the last extension.
># Unless denied outright above, these are no more threatening when doubled.
>allow   \.wps\.doc$             -       -
>allow   \.wps\.rtf$             -       -
>allow   \.xls\.doc$             -       -
>allow   \.ppt\.doc$             -       -
>
>
>#allow 4 letter extensions with equivalent 3 letter ie: file.html.htm #
>note: any 3.4 variants are redundant in my case because of the modified
>double-extension rule
>allow   \.html\.htm$            -       -
>allow   \.icon\.ico$            -       -
>allow   \.conf\.cfg$            -       -
>allow   \.mpeg\.mpg$            -       -
>
>
>Lastly, I've greatly restricted the scope of the original extension hiding
>rule. Which would have never matched your ".htm.html" in the first place.
>
>I know of no truly malicious file extensions for windows that are 4 letters
>in length, which would be useful to hide as some other extension. Therefore,
>I require that the last extension be 3 characters, not 3-4.
>I also know of no malicious file extensions containing numbers, so I require
>the last extension to be alpha-only.
>
>Finally, there are very few four character extensions worth hiding behind,
>so I only check a few common user-recognizable 4-character extensions for an
>extension hiding after it.
>
># Deny all other double file extensions. This catches any hidden filenames.
>#MEK - made this a bit less generic. Second extension now must be # all
>alpha instead of alphanumeric # And only certain 4-char extensions are
>checked for hiding.
>
>#3.3 extension hiding
>deny    \.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$        Found possible filename
>hiding                          Attempt to hide real filename extension
># look for 3 character extension hiding behind innocuous 4-character
>extension. (selective 4.3)
>deny    \.text\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.jpeg\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.mpeg\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.pict\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.jiff\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.html\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.tiff\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.vrml\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.conf\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.diff\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.java\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.cert\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>deny    \.icon\s*\.[a-z]{3}$    Found possible filename
>hiding                          Attempt to hide real filename extension
>
>------------------------ MailScanner list ------------------------ To
>unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list