Block double extensions

[en <ny...@kiercorp.com>]

This may be better for procmail but if I wanted to flag an email with an
attachment with double extensions what would be a good rule for this?
Thanks

Re: Block double extensions

[Matt Kettler <mk...@evi-inc.com>]

At 06:01 PM 2/23/2004, en wrote:
>This may be better for procmail but if I wanted to flag an email with an
>attachment with double extensions what would be a good rule for this?
>Thanks

Generally speaking, SA isn't a particularly optimal tool for this. SA 
doesn't parse attachment headers, and doing so via a rawbody rule isn't 
possible in recent versions of SA.


Theoretically, a rule like one of these would work:

rawbody LOCAL_DOUBLE_EXTENSION  /Content-Disposition\: 
attachment\;filename=\s?\S*\.[a-z]{3}\.[a-z]{3}\"/i
header LOCAL_DOUBLE_EXTENSION_h  Content-Disposition =~ 
/attachment\;filename=\s?\S*\.[a-z]{3}\.[a-z]{3}\"/i

However, in reality they don't... In order to prevent false positives, SA's 
mime parser removes octet-stream sections from the email before any rules 
are run, even rawbody.

And this behavior makes sense. After all, SA's purpose is to evaluate the 
email to see if it's spam.. binary attachments aren't a part of it's 
concerns. And it does prevent a lot of the rawbody rules from 
false-alerting on messages with binary attachments.

If you need file-extension blocking, etc.. I'd recommend looking at 
MailScanner. It's a very handy integration tool for SpamAssassin and virus 
scanners. It's also got a "filename rules" feature, which by default 
handles most double-extensions, and has a list of "safe" extensions that it 
passes before doing the double-extension check. (ie: file.tar.gz is 
perfectly safe, as is contacts.dec.txt).