Filename.rules.conf
Kevin Miller
kevin.miller at juneau.org
Mon Oct 28 22:13:18 UTC 2019
> Or you could just use the single regexp
> .*\.com[^.]*\.xml(\.gz)?$
> which will match anything followed by '.com' followed by 0 or more non dots followed by '.xml' and either ending there or followed by '.gz'.
Nice. I did just, thanks.
>> For some reason it stumbles on this filename:
>> rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz
>>
>> I wanted to try to debug why, so I went to https://regex101.com/ and for the regex entered:
>> .*\.com[^.]*\.xml\.gz$
>> And the filename for the test string
>> It reports a "Full match"
>As you see, your regexp matches that name, but
>> But MailScanner still stumbles on it and replaces the attachment with the text warning:
>> "This is a message from the MailScanner E-Mail Virus Protection Service
>> ----------------------------------------------------------------------
>> The original e-mail attachment "rocketmail.com.gz"
>> is on the list of unacceptable attachments for this site and has been
>> replaced by this warning message.
>Mailscanner says the name it's looking at is "rocketmail.com.gz" without the .xml.
>What are the headers of all the sub-parts of the message? You should be able to find the message in MailScanner's quarantine.
Normally when (my) MailScanner stores spam/nonspam, it puts a single file in /var/spool/MailSanner/quarantine/<DATE>/nonspam (or spam). When the message is blocked for a bad filename it lands in /var/spool/MailSanner/quarantine/<DATE>/QUEUE.ID which contains the message, and any attachments separated out. Here's an example of one such message:
https://pastebin.com/9kRE9fXE
"rocketmail.com.gz" isn't present in the original message. I presumed that MailScanner was just repacking the filename similarly to what it does in the report when encountering an overly long filename.
> The results from `file` are only relevant for file type rules, not file name rules.
I know - I just added that to cover my bases.
> Again, the name MailScanner is rejecting is "rocketmail.com.gz". To understand why, we need to see all the MIME part headers from the message.
It's in the pastebin post.
Thanks much...
...Kevin
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
More information about the MailScanner
mailing list