Mark Sapiro mark at
Sat Oct 26 00:59:04 UTC 2019

On 10/25/19 5:11 PM, Kevin Miller wrote:
> The regex is working fine for the most part, but I had to add this one with \.gz$ on the end to catch additional entries:
>   .*\.com[^.]*\.xml\.gz$

Or you could just use the single regexp

which will match anything followed by '.com' followed by 0 or more non
dots followed by '.xml' and either ending there or followed by '.gz'.

> For some reason it stumbles on this filename:
> I wanted to try to debug why, so I went to and for the regex entered:
>   .*\.com[^.]*\.xml\.gz$
> And the filename for the test string
> It reports a "Full match"

As you see, your regexp matches that name, but

> But MailScanner still stumbles on it and replaces the attachment with the text warning:
> "This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail attachment ""
> is on the list of unacceptable attachments for this site and has been
> replaced by this warning message.

Mailscanner says the name it's looking at is "" without
the .xml.

What are the headers of all the sub-parts of the message? You should be
able to find the message in MailScanner's quarantine.

> At Fri Oct 25 12:05:03 2019 the virus scanner said:
>    MailScanner: Executable DOS/Windows programs are dangerous in email ("
> The allow line is well above these lines:
>   deny    \.com$          Windows/DOS Executable                                                        Executable DOS/Windows programs are dangerous in email
>   deny    \.exe$          Windows/DOS Executable                                                          Executable DOS/Windows programs are dangerous in email
> and I do have tabs, not spaces in the all rules.

but the allow line doesn't match "" which seems to be
the name MailScanner is looking at.

> File doesn't recognize it as an executable; it's definitely the name that's tripping it up.
> mkm at mis-mkm-lnx:~/Downloads$ file\!\!1571875200\!1571961599.xml.gz 
>!!1571875200!1571961599.xml.gz: gzip compressed data, last modified: Fri Oct 25 04:30:42 2019, from Unix, original size 1078

The results from `file` are onle relevant for file type rules, not file
name rules.

> Similar files are making it through, such as:
> I thought it might be having .com in the name twice, so added this rule:
>   allow  .*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$
> to no avail (it also passes on

Again, the name MailScanner is rejecting is "". To
understand why, we need to see all the MIME part headers from the message.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list