Double File extension

[Antony Stone]

On Monday 20 January 2014 at 16:41:30, Rick Cooper wrote:

> Johan Hendriks wrote:
> > Hello all.
> > 
> > I have mailscanner running and it all works quite well.
> > The only thing i encounter is that people use a lot of (.) in there
> > files, and this triggers the deny rule of multiple extensions.
> > 
> > Is there a way to only check the last two extensions, and only block
> > if both are three caracters long?
> 
> An express like .*\.(.+?)\.(?:exe|com|bin|msi|scr|vb[es]|bat|chf|cmd|pif)$
> 
> Would block double extensions where the final extension is executable so
> doc.jan.xls would not trigger but doc.jan.xls.exe would. Of course you
> still have to block executables within archives because renaming
> doc.jan.exe to doc.jan.txt would defeat the filename rules. And you would
> also have to decide what extensions to block because maybe you don't care
> about .msi files or shortcuts

I would not block on filename (because of examples such as given previously - 
document.jan.doc etc), but on content.

Use MailScanner's built-in and plug-in content scanning facilities to block 
executable content, malicious content, and inappropriate filetypes for you 
organisation, and let the users (or more often the people sending stuff to your 
users) choose whatever filenames they like.

I don't have an example to hand, but I'm sure there must be examples of 
legitimate filenames with two 3-letter extensions, both of which appear on the 
list of "dangerous" extensions, simply because the document creator doesn't 
think about what Windows considers to be "executable".


Regards,


Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.