Discussion:
Double File extension
Johan Hendriks
2014-01-20 13:22:07 UTC
Permalink
Hello all.

I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.

Is there a way to only check the last two extensions, and only block if
both are three caracters long?

regards

Johan
Jerry Benton
2014-01-20 14:15:57 UTC
Permalink
Johan,

I would suggest just allowing the multiple file extensions. The idea behind
this check is pretty old and has been overcome by modern times and methods.
You would still drive customers crazy if you blocked:

document.Jan.doc
document.feb.doc

etc.
Post by Johan Hendriks
Hello all.
I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.
Is there a way to only check the last two extensions, and only block if
both are three caracters long?
regards
Johan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140120/2df78325/attachment.html
Peter Farrow
2014-01-20 14:53:45 UTC
Permalink
I disagree,

hiding windows file extensions is a simple and easy way to fool the end
user.

Personally I would never allow double-barreled extensions.

Do this at your peril.

P.
Post by Jerry Benton
Johan,
I would suggest just allowing the multiple file extensions. The idea
behind this check is pretty old and has been overcome by modern times
document.Jan.doc
document.feb.doc
etc.
On Mon, Jan 20, 2014 at 2:22 PM, Johan Hendriks
Hello all.
I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.
Is there a way to only check the last two extensions, and only block if
both are three caracters long?
regards
Johan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com <http://www.mailborder.com>
--
This message has been scanned for viruses and
dangerous content by the *Togethia MailScanner*
<http://www.togethia.net/>, and is
believed to be clean.
Scanner:local
--
horizontal ruler

Peter Farrow
avatar
______________________
Home: 01249 654183
Fax: 01249 461 548
Mobile: 07799605617
Skype: peter_farrow
Web: www.peterfarrow.com <http://www.peterfarrow.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140120/c5563a55/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: orange_spacer.gif
Type: image/gif
Size: 57 bytes
Desc: not available
Url : Loading Image...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: avatar.gif
Type: image/gif
Size: 8198 bytes
Desc: not available
Url : Loading Image...
Paul A Sand
2014-01-20 15:42:05 UTC
Permalink
Post by Peter Farrow
hiding windows file extensions is a simple and easy way to fool the
end user.
Personally I would never allow double-barreled extensions.
An alternative path is renaming. What we did awhile back (in
filename.rules.conf) was to change the ?deny? rule at the end to:

rename to _$1.$2 \.([a-z][a-z0-9]{2,3}\s*)\.([a-z0-9]{3})$

E.g., ?feefie.foe.fum? becomes ?feefie_foe.fum?. I think. It?s been
awhile. It has really cut back on the gripes from false positives.
--
-- Paul A Sand <pas at unh.edu>
-- Information Technology / University of New Hampshire
-- http://pubpages.unh.edu/~pas
-- Sender does not have combination to safe.
Alex Neuman
2014-01-20 14:25:07 UTC
Permalink
Yes. You could create a perl regular expression (regexp) that can match
that.

Here's more info:

http://perldoc.perl.org/perlretut.html

Otherwise just comment out with a # the double extension rule and match on
.exe, .com, .pif, .scr and such.

It's much easier than hitting your users upside the head with a
clue-by-four.



*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789

Follow *@AlexNeuman <https://twitter.com/alexneuman>* on Twitter
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube
Post by Johan Hendriks
Hello all.
I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.
Is there a way to only check the last two extensions, and only block if
both are three caracters long?
regards
Johan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140120/b2454d30/attachment.html
Rick Cooper
2014-01-20 15:41:30 UTC
Permalink
Post by Johan Hendriks
Hello all.
I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.
Is there a way to only check the last two extensions, and only block
if both are three caracters long?
regards
Johan
An express like .*\.(.+?)\.(?:exe|com|bin|msi|scr|vb[es]|bat|chf|cmd|pif)$

Would block double extensions where the final extension is executable so
doc.jan.xls would not trigger but doc.jan.xls.exe would. Of course you still
have to block executables within archives because renaming doc.jan.exe to
doc.jan.txt would defeat the filename rules. And you would also have to
decide what extensions to block because maybe you don't care about .msi
files or shortcuts

Rick
Antony Stone
2014-01-20 16:21:07 UTC
Permalink
Post by Rick Cooper
Post by Johan Hendriks
Hello all.
I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.
Is there a way to only check the last two extensions, and only block
if both are three caracters long?
An express like .*\.(.+?)\.(?:exe|com|bin|msi|scr|vb[es]|bat|chf|cmd|pif)$
Would block double extensions where the final extension is executable so
doc.jan.xls would not trigger but doc.jan.xls.exe would. Of course you
still have to block executables within archives because renaming
doc.jan.exe to doc.jan.txt would defeat the filename rules. And you would
also have to decide what extensions to block because maybe you don't care
about .msi files or shortcuts
I would not block on filename (because of examples such as given previously -
document.jan.doc etc), but on content.

Use MailScanner's built-in and plug-in content scanning facilities to block
executable content, malicious content, and inappropriate filetypes for you
organisation, and let the users (or more often the people sending stuff to your
users) choose whatever filenames they like.

I don't have an example to hand, but I'm sure there must be examples of
legitimate filenames with two 3-letter extensions, both of which appear on the
list of "dangerous" extensions, simply because the document creator doesn't
think about what Windows considers to be "executable".


Regards,


Antony.
--
Most people are aware that the Universe is big.

- Paul Davies, Professor of Theoretical Physics

Please reply to the list;
please don't CC me.
Johan Hendriks
2014-01-21 14:04:08 UTC
Permalink
Post by Antony Stone
Post by Rick Cooper
Post by Johan Hendriks
Hello all.
I have mailscanner running and it all works quite well.
The only thing i encounter is that people use a lot of (.) in there
files, and this triggers the deny rule of multiple extensions.
Is there a way to only check the last two extensions, and only block
if both are three caracters long?
An express like .*\.(.+?)\.(?:exe|com|bin|msi|scr|vb[es]|bat|chf|cmd|pif)$
Would block double extensions where the final extension is executable so
doc.jan.xls would not trigger but doc.jan.xls.exe would. Of course you
still have to block executables within archives because renaming
doc.jan.exe to doc.jan.txt would defeat the filename rules. And you would
also have to decide what extensions to block because maybe you don't care
about .msi files or shortcuts
I would not block on filename (because of examples such as given previously -
document.jan.doc etc), but on content.
Use MailScanner's built-in and plug-in content scanning facilities to block
executable content, malicious content, and inappropriate filetypes for you
organisation, and let the users (or more often the people sending stuff to your
users) choose whatever filenames they like.
I don't have an example to hand, but I'm sure there must be examples of
legitimate filenames with two 3-letter extensions, both of which appear on the
list of "dangerous" extensions, simply because the document creator doesn't
think about what Windows considers to be "executable".
Regards,
Antony.
Thank you all for the reply's i am going to try some of the given options!

Thanks again

regards
Johan Hendriks

Continue reading on narkive:
Loading...