Filename.rules.conf

Kevin Miller kevin.miller at juneau.org
Wed Oct 9 17:28:20 UTC 2019 

Thanks Mark.
Total spaced the archives.filename.rules.conf - that was the ticket.  I had to expand the regex a bit as follows:
  allow   *\.com*\.xml$           -       -
to allow for the series of characters before and after .com but before .xml but that was easy enough once I took the quarter you sent and bought a clue! :-)

Appreciate the help.  Now to figure out how to parse/manage the flood of dmarc reports coming in...

-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Tuesday, October 8, 2019 4:51 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Filename.rules.conf

EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS

________________________________

On 10/8/19 1:14 PM, Kevin Miller wrote:
> I've recently set up dmarc and have been getting reports that often have multiple extensions.  I've tried messing with the filename.rules.conf entries to allow some of them through but so far I haven't found the magic combination to do so.
>
> MailScanner sends this:
>   Report: MailScanner: Attempt to hide real filename extension 
> (1emailsrvr.com.xml) although the real filename is found in this mail.log entry:
>   Oct  8 11:47:05 mxt MailScanner[43737]: Filename Checks: Found 
> possible filename hiding (E0CFA1001B6.AE939 
> emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8
> -c9cac0aa676c.xml)
>
> This file is actually contained in
>   
> emailsrvr.com!juneau.org!1569974400!1570060800!e0c093e8-0e44-4ac4-9ce8
> -c9cac0aa676c.zip
> for whatever that's worth.


If it's in a .zip or other archive, you need to pot the rules in archives.filename.rules.conf


> Entries I've tried in filename.rules.conf are:
>   allow   \.xml$  -       -
>   allow   \*\.com*\.xml$  -       -
>   allow   \*\.com*\.zip$  -       -
> as well as entries without the "*"
>
> So how does one all these through?


you want

allow   .*\.com\.xml$   -       -

and you want it before

deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
hiding  Attempt to hide real filename extension


I'm not sure if the '.*' is required, but it definitely should not be '\*'.

Or you can use the MailScanner configuration settings

Allow Filenames = \.com\.xml$

which I think works for archives. See
<https://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Filenames>.

--
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

More information about the MailScanner mailing list