natan: > Hi > In file i have: > > /^Content-(Type|Disposition):.*(file)?name=.*(\.|=2E)(exe|ade|adp|bas|bat|chm|cmd|cpl|hlp|hta|inf|ins|isp|img|js|jse|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|mim|b64|bhx|hqx|xxe|uu|uue)"/ > > > REJECT Sorry, we do not accept .${4} file type. > > /^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.exe)"/ > REJECT Sorry, we do not accept double extension .${3} file type. > > /^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.img)"/ > WARN Sorry, we do not accept double extension file type img.
Sorry, these patterns don't work. Use the header_checks manpage example instead. Wietse > > W dniu 27.02.2023 o 15:56, Wietse Venema pisze: > > natan: > >> Hi > >> I gat many many e-mails with virus and double exstension like: > >> *.jpg.img > >> *.pdf.img > >> *.*.img > >> > >> I try in header_checks.pcre > >> > > [broken regexp omitted] > >> and not working > > The following blocks a 'bad' extension before a 'good' one such > > as 'name.exe.pdf'. > > > > 1) Take the example from the header_checks manpage > > > > 2) Insert ((\.|=2E)[a-z]+)? between vxd|ws[cfh]) and )(\?=)?"?\s*(;|$)/x > > > > 3) Replace $4 with $4$5 > > > > A much simpler rule would block all double extensions (such as > > 'name.pdf.jpg'), but I don't know if that would also block legitimate > > mail. > > > > Wietse > > -- > >