Filename.rules.conf

Kevin Miller kevin.miller at juneau.org
Sat Oct 26 00:11:44 UTC 2019 

> These are regexps, not globs. Mailscanner recognizes this common error and converts a leading * to .*, 
> but not others, so *\.com*\.xml$ will match names ending with '.com.xml', '.comm.xml', '.commm.xml;, 
> etc, but not, e.g. '.comic.xml'.

> you want '.*\.com[^.]*\.xml' to match names ending with .com followed by zero or more non-dots followed by .xml.

The regex is working fine for the most part, but I had to add this one with \.gz$ on the end to catch additional entries:
  .*\.com[^.]*\.xml\.gz$

For some reason it stumbles on this filename:
  rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz

I wanted to try to debug why, so I went to https://regex101.com/ and for the regex entered:
  .*\.com[^.]*\.xml\.gz$
And the filename for the test string
It reports a "Full match"

But MailScanner still stumbles on it and replaces the attachment with the text warning:
"This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "rocketmail.com.gz"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

At Fri Oct 25 12:05:03 2019 the virus scanner said:
   MailScanner: Executable DOS/Windows programs are dangerous in email (nrocketmail.com)"

The allow line is well above these lines:
  deny    \.com$          Windows/DOS Executable                                                        Executable DOS/Windows programs are dangerous in email
  deny    \.exe$          Windows/DOS Executable                                                          Executable DOS/Windows programs are dangerous in email
and I do have tabs, not spaces in the all rules.

File doesn't recognize it as an executable; it's definitely the name that's tripping it up.
mkm at mis-mkm-lnx:~/Downloads$ file rocketmail.com\!jnuairport.com\!1571875200\!1571961599.xml.gz 
rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz: gzip compressed data, last modified: Fri Oct 25 04:30:42 2019, from Unix, original size 1078

Similar files are making it through, such as:
  yahoo.com!ci.juneau.ak.us!1571097600!1571183999.xml.gz

I thought it might be having .com in the name twice, so added this rule:
  allow  .*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$
to no avail (it also passes on regex101.com).

Any help appreciated!  

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

More information about the MailScanner mailing list