Filename.rules.conf

Wed Oct 30 22:32:46 UTC 2019

Thanks again for looking Mark.  I have entries in both filename.rules.conf and archive.filename.rules.conf.  I think the path of least resistance at this point is just to enter "rocketmail.com.gz" in them as well.  If that's what it's seeing, then I'll just live with it and give it a pass.

Funny thing is, I haven't received any more reports from rocketmail since last week.  Sooner or later one should turn up I expect.

Best...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

-----Original Message-----
From: MailScanner <mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info> On Behalf Of Mark Sapiro
Sent: Wednesday, October 30, 2019 10:39 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Filename.rules.conf

EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS

________________________________

On 10/28/19 3:13 PM, Kevin Miller wrote:
>
>> Again, the name MailScanner is rejecting is "rocketmail.com.gz". To understand why, we need to see all the MIME part headers from the message.
>
> It's in the pastebin post.

The pastebin post is clear that the only name is "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz" and any of the regexps '.*\.com[^.]*\.xml\.gz$', '.*\.com[^.]*\.xml(\.gz)?$' or '.*\.com[^.]*[^.]\.com*[^.]*.xml.*\.gz$' will match that.

I've looked at the code and it appears that MailScanner is actually looking at what it calls safename which may or may not be the "rocketmail.com.gz" name in the report. I'm not particularly fluent in perl and I haven't found exactly how safename is made from the original name. I'm not sure, but I'm guessing that that will also be the name of the attachment stored in the /var/spool/MailSanner/quarantine/<DATE>/QUEUE.ID/ directory.

But if that's the case and it's looking at a name like "rocketmail.com.gz" which it made from "rocketmail.com!jnuairport.com!1571875200!1571961599.xml.gz", it's hard to understand why other similar names are accepted.

I do note that your earlier posts referred to the file being contained in a zip archive and you needed to put your allow rules in archives.filename.rules.conf. However, the file in the pastbin is not in a zip archive so it needs a rule in filename.rules.conf. Do you have your rules in both places?

--
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner