Filename.rules.conf
Mark Sapiro
mark at msapiro.net
Wed Oct 9 00:50:39 UTC 2019
On 10/8/19 1:14 PM, Kevin Miller wrote:
> I've recently set up dmarc and have been getting reports that often have multiple extensions. I've tried messing with the filename.rules.conf entries to allow some of them through but so far I haven't found the magic combination to do so.
>
> MailScanner sends this:
> Report: MailScanner: Attempt to hide real filename extension (1emailsrvr.com.xml)
> although the real filename is found in this mail.log entry:
> Oct 8 11:47:05 mxt MailScanner[43737]: Filename Checks: Found possible filename hiding (E0CFA1001B6.AE939 emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.xml)
>
> This file is actually contained in
> emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8-c9cac0aa676c.zip
> for whatever that's worth.
If it's in a .zip or other archive, you need to pot the rules in
archives.filename.rules.conf
> Entries I've tried in filename.rules.conf are:
> allow \.xml$ - -
> allow \*\.com*\.xml$ - -
> allow \*\.com*\.zip$ - -
> as well as entries without the "*"
>
> So how does one all these through?
you want
allow .*\.com\.xml$ - -
and you want it before
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename
hiding Attempt to hide real filename extension
I'm not sure if the '.*' is required, but it definitely should not be '\*'.
Or you can use the MailScanner configuration settings
Allow Filenames = \.com\.xml$
which I think works for archives. See
<https://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Filenames>.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list