Checking Suspected E-Mails

Matt Kettler mkettler at evi-inc.com
Mon Jun 19 18:11:10 IST 2006 

Kaplan, Andrew H. wrote:
> Hi there –
> 
>  
> 
> One of users of our server received several e-mails indicating that a
> “Bad Filename was Detected”. The e-mails in question
> 
> were resumes that were sent to him from a recruiting company. The user
> has asked if there is a way to determine if the
> 
> e-mails are truly suspect.

Odds are, they're not.

By default filename.rules.conf will flag damn near anything with what it thinks
is a double extension. Unfortunately a large number of folks use dots instead of
spaces or underscores so we get things like:

Resume.Lastname.bob.doc

and that gets flagged.

Since our company is a three-letter acronym we also get a lot of things like:
(whatever).quote.evi.doc

which also gets flagged.

And a lot of "converted" files get flagged:

sales_data.xls.doc


> 
> What would be the best way to determine this? Thanks.

Take a loot at the filename and try to figure out which filename rule it matched
out of filename.rules.conf.


For what it's worth, I use a much more liberal set of rules to replace the stock
double-extension rules out of filename.rules.conf. I've attached these for
anyone who might like to use them...

However, beware, my rules are more liberal, and you're increasing the chances of
an new unknown virus getting by your system.

Most of this should be common-sense and innocuous, but I suggest reading them
carefully and understanding what they do before merging into your config.





-------------- next part --------------
#######################################
# Exceptions to the double-extension rules:
#######################################

#stock mailscanner rule:
# Allow repeated file extension, e.g. blah.zip.zip
allow	(\.[a-z0-9]{3})\1$

#allow .com.extension, as this hides nothing
# i.e. google.com.doc is OK
# even if it was truncated, it would still look like an executable

allow	\.com\.[a-z0-9]{3}$	-	-

#ditto for .net and .org web-style domains
allow	\.net\.[a-z0-9]{3}$	- 	-
allow	\.org\.[a-z0-9]{3}$	-	-
# I don't know what this is, but one outside sender always does ".pro.doc"
# I'm allowing it because it doesn't obscure the extension as a well-known 
# "safe" extension type
allow	\.pro\.[a-z0-9]{3}$	-	-


# allow document format conversions. .wps.doc, .wps.rtf, etc
# in these cases the first extension is of the same threat class as the last extension.
# Unless denied outright above, these are no more threatening when doubled.
# note - absolute allow on .txt avoids the need for .doc.txt, etc.

allow	\.wps\.doc$	-	-
allow	\.wps\.rtf$	-	-
allow	\.xls\.doc$	-	-
allow	\.ppt\.doc$	-	-
allow	\.doc\.w[a-z0-9]{2}$	-	-
allow	\.doc\.xls$	-	-

allow	\.mpg\.avi	-	-
allow	\.mpeg\.avi	-	-
allow	\.avi\.mpg	-	-

#image conversions don't need to be listed, I have absolute
# allows on .jpg, .gif, .png, etc that would take precedence

#dbase files renamed mdb are ok
allow	\.db.\.mdb$	-	-

#allow 4 letter extensions with equivalent 3 letter ie: file.html.htm
# note: any 3.4 variants are redundant in my case because of the modified double-extension rule
allow	\.html\.htm$	-	-
allow	\.icon\.ico$	-	-
allow	\.conf\.cfg$	-	-
allow	\.mpeg\.mpg$	-	-
allow	\.mpg\.mpe$	-	-
allow	\.mpeg\.mpe$	-	-



# allow "test.sp1.exe" and the like
allow	\.sp[0-9]\.[a-z]{3}$	-	-

# Deny most other double file extensions. This catches any hidden filenames.
#MEK - made this a bit less generic. Second extension now must be
# all alpha instead of alphanumeric
# And only certain 4-char extensions are checked for hiding.



#3.3 extension hiding
deny	\.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
# look for 3 character extension hiding behind innocuous 4-character extension. (selective 4.3)
deny	\.text\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.jpeg\s*\.[a-z]{3}$ 	Found possible filename hiding	Attempt to hide real filename extension
deny	\.mpeg\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.pict\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.jiff\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.html\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.tiff\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.vrml\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.conf\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.diff\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.java\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.cert\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension
deny	\.icon\s*\.[a-z]{3}$	Found possible filename hiding	Attempt to hide real filename extension

More information about the MailScanner mailing list