Mark Sapiro mark at
Wed Oct 9 00:50:39 UTC 2019

On 10/8/19 1:14 PM, Kevin Miller wrote:
> I've recently set up dmarc and have been getting reports that often have multiple extensions.  I've tried messing with the filename.rules.conf entries to allow some of them through but so far I haven't found the magic combination to do so.
> MailScanner sends this:
>   Report: MailScanner: Attempt to hide real filename extension (
> although the real filename is found in this mail.log entry:
>   Oct  8 11:47:05 mxt MailScanner[43737]: Filename Checks: Found possible filename hiding (E0CFA1001B6.AE939!!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.xml)
> This file is actually contained in 
> for whatever that's worth.

If it's in a .zip or other archive, you need to pot the rules in

> Entries I've tried in filename.rules.conf are:
>   allow   \.xml$  -       -
>   allow   \*\.com*\.xml$  -       -
>   allow   \*\.com*\.zip$  -       -
> as well as entries without the "*"
> So how does one all these through?

you want

allow	.*\.com\.xml$	-	-

and you want it before

deny	\.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$	Found possible filename
hiding	Attempt to hide real filename extension

I'm not sure if the '.*' is required, but it definitely should not be '\*'.

Or you can use the MailScanner configuration settings

Allow Filenames = \.com\.xml$

which I think works for archives. See

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list