You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Cedric Knight <ce...@gn.apc.org> on 2016/04/07 00:08:45 UTC
MIME header false positives (was Rule to score word documents)
On 30/03/16 21:11, @lbutlr wrote:
> On Wed Mar 30 2016 13:34:23 Alex <my...@gmail.com> said:
>>
>> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/
>> REJECT
>
> /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
> REJECT Attachment name "$2" may not end with ".$3”
I'd like to take the opportunity to warn that regexes like this (and the
version in the Postfix documentation as "man header_checks") have
started blocking email from iPhones.
This is because some Apple email client adds a parameter to Content-Type
that may end in ".com". The ".*\." can span between those parameters.
If you block extensions in Postfix, check your logs for
"x-apple-part-url" and you may see something like:
server postfix/cleanup[1234]: 123412341234: reject: header Content-Type:
application/vnd.ms-publisher;??name="redacted
redacted.pub";??x-apple-part-url="abcd1234-1234-5678-9999-123412341234@yahoo.com"
("??" is the CRLF line break.)
For postfix the rule can be rewritten to specify the parameter value to
avoid this type of false positive:
/^Content-(Disposition|Type).*name\s*=\s*
("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*)
((?:\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x
REJECT Attachment name $2$3 may not end with ".$4"
So far as I can see, no standard SpamAssassin rule checks for .com so
shouldn't cause a false positive, but some rules that are intended to
just check filename extensions and might hit other parts of the header
include OBFU_TEXT_ATTACH, T_OBFU_DOC_ATTACH and __TVD_MIME_ATT_AOPDF.
> Just add the MS Office file extensions to that.
>
> Then, when your users revolt and are banging on your door with pitchforks and torches, take them out again.
:) or staff the machiolations because you know best.
Some that I seriously would add are .mso, .xl, .ocx and .jar.
CK