Double File extension
joh.hendriks at gmail.com
Tue Jan 21 14:04:08 GMT 2014
Antony Stone schreef:
> On Monday 20 January 2014 at 16:41:30, Rick Cooper wrote:
>> Johan Hendriks wrote:
>>> Hello all.
>>> I have mailscanner running and it all works quite well.
>>> The only thing i encounter is that people use a lot of (.) in there
>>> files, and this triggers the deny rule of multiple extensions.
>>> Is there a way to only check the last two extensions, and only block
>>> if both are three caracters long?
>> An express like .*\.(.+?)\.(?:exe|com|bin|msi|scr|vb[es]|bat|chf|cmd|pif)$
>> Would block double extensions where the final extension is executable so
>> doc.jan.xls would not trigger but doc.jan.xls.exe would. Of course you
>> still have to block executables within archives because renaming
>> doc.jan.exe to doc.jan.txt would defeat the filename rules. And you would
>> also have to decide what extensions to block because maybe you don't care
>> about .msi files or shortcuts
> I would not block on filename (because of examples such as given previously -
> document.jan.doc etc), but on content.
> Use MailScanner's built-in and plug-in content scanning facilities to block
> executable content, malicious content, and inappropriate filetypes for you
> organisation, and let the users (or more often the people sending stuff to your
> users) choose whatever filenames they like.
> I don't have an example to hand, but I'm sure there must be examples of
> legitimate filenames with two 3-letter extensions, both of which appear on the
> list of "dangerous" extensions, simply because the document creator doesn't
> think about what Windows considers to be "executable".
Thank you all for the reply's i am going to try some of the given options!
More information about the MailScanner