Why is this a hidden filename extension?

[Robert Lopez]

Report: MailScanner: Attempt to hide real filename extension (Motion
%26 Order.doc)

The above was a file name used by a college attorney and it the email
was blocked.
So it is a hot issue at the moment.

The file command returns

Microsoft Office Document Microsoft Word Document

for the magic type so the content appears to match the extension.


I only see two deny rules in filename.rules.conf that seem to be
focused on filetype v extension:

# Deny filenames containing CLSID's
deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real type
                         Files containing  CLSID's are trying to hide
their real type

# Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible
filename hiding                          Attempt to hide real filename
extension

and there is also the white space rule

# Deny filenames with lots of contiguous white space in them.
deny    \s{10,}         Filename contains lots of white space
                                 A long gap in a name is often used to
hide part of it

but this filename does not match any of them to my understanding.

What rule might have been matched?

-- 
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106