New attachment type?

Shawn Iverson shawniverson at
Mon Oct 10 09:39:49 UTC 2022

I've seen a few of these kind.  You can use mailscanner to look for an 
attachment simply named "open$" in this case or try looking for a 
generic pattern such as [a-z0-9]+[^\.]   (I haven't tried a negative 
regex in MailScanner so not sure offhand if that will work.

In SA you can also use mimeheader to do a similar check. I do know you 
can use a negative there.

On 10/10/22 04:16, mailscanner at wrote:
> Hello list
> Just received a new virus mail where the body of the text is asking to 
> "update" IMAP adress blabla
> There is a 159 byte attachment with the email named "open" without any 
> extension at the end. Outlook does seem to recognize it as there it 
> places an icon before the attachment (windows logo at the top with a 
> rectangle at the bottom).
> Is anyone else seeing this, how can I stop it or how can I block 
> attachments without extension?
> Thanks!!
> Remco

More information about the MailScanner mailing list