Filename.rules.conf

Mark Sapiro mark at msapiro.net
Sat Oct 26 00:59:04 UTC 2019 

On 10/25/19 5:11 PM, Kevin Miller wrote:
> 
> The regex is working fine for the most part, but I had to add this one with \.gz$ on the end to catch additional entries:
>   .*\.com[^.]*\.xml\.gz$


Or you could just use the single regexp
 .*\.com[^.]*\.xml(\.gz)?$

which will match anything followed by '.com' followed by 0 or more non
dots followed by '.xml' and either ending there or followed by '.gz'.


> For some reason it stumbles on this filename:
>   rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz
> 
> I wanted to try to debug why, so I went to https://regex101.com/ and for the regex entered:
>   .*\.com[^.]*\.xml\.gz$
> And the filename for the test string
> It reports a "Full match"


As you see, your regexp matches that name, but


> But MailScanner still stumbles on it and replaces the attachment with the text warning:
> "This is a message from the MailScanner E-Mail Virus Protection Service
> ----------------------------------------------------------------------
> The original e-mail attachment "rocketmail.com.gz"
> is on the list of unacceptable attachments for this site and has been
> replaced by this warning message.


Mailscanner says the name it's looking at is "rocketmail.com.gz" without
the .xml.

What are the headers of all the sub-parts of the message? You should be
able to find the message in MailScanner's quarantine.


> At Fri Oct 25 12:05:03 2019 the virus scanner said:
>    MailScanner: Executable DOS/Windows programs are dangerous in email (nrocketmail.com)"
> 
> The allow line is well above these lines:
>   deny    \.com$          Windows/DOS Executable                                                        Executable DOS/Windows programs are dangerous in email
>   deny    \.exe$          Windows/DOS Executable                                                          Executable DOS/Windows programs are dangerous in email
> and I do have tabs, not spaces in the all rules.


but the allow line doesn't match "rocketmail.com.gz" which seems to be
the name MailScanner is looking at.


> File doesn't recognize it as an executable; it's definitely the name that's tripping it up.
> mkm at mis-mkm-lnx:~/Downloads$ file rocketmail.com\!jnuairport.com\!1571875200\!1571961599.xml.gz 
> rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz: gzip compressed data, last modified: Fri Oct 25 04:30:42 2019, from Unix, original size 1078


The results from `file` are onle relevant for file type rules, not file
name rules.


> Similar files are making it through, such as:
>   yahoo.com!ci.juneau.ak.us!1571097600!1571183999.xml.gz
> 
> I thought it might be having .com in the name twice, so added this rule:
>   allow  .*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$
> to no avail (it also passes on regex101.com).


Again, the name MailScanner is rejecting is "rocketmail.com.gz". To
understand why, we need to see all the MIME part headers from the message.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list