shtml attachment files ?

[Shawn Iverson]

No.  The code that does this isn't even MailScanner itself. It is 
MIME::Parser when the Explode* methods are called.  Changing this 
behavior would mean mostly likely rewriting that perl module.

The problem you are running into is that the filename blocking is not 
MIME-aware and doesn't look at the email but rather the files that are 
exploded in the working directory.  The distinction here is that these 
html files you are fighting are likely attachments and not the html mime 
part of the email.

You have a few options:

1) Block any html file that doesn't conform to msg-<id>.html in your 
filename rules:

allow    msg-.*\.html$    HTML part of email message    HTML part of 
email message

deny    \.html$    HTML not part of email message    HTML not part of 
email message

2) Use SpamAssassin to examine the mimeheaders and score appropriately

mimeheader    Content-Disposition =~ /attachment; filename=\".*\.html\"/

describe    HTML attachment, not safe!

score        10.0

On 9/26/22 04:28, mailscanner at barendse.to wrote:
>
>
> On Thu, 28 Jul 2022, Shawn Iverson via MailScanner wrote:
>
>> It is happening during the mime parsing operation when the mime is 
>> split into text and html parts. It assigns a name msg-<id>.html to 
>> the html mime part.
>
>
> Is there any way to avoid that, can we assign a different name, other 
> than .html ?
>
> The number of .html attachments with links to a partial virus payload 
> and that are slipping through undetected is increasing and it's 
> worrying. I have a pretty decent proxy/filter but.........
>
>
>>
>
>