natan:
> Hi
> In file i have:
>
> /^Content-(Type|Disposition):.*(file)?name=.*(\.|=2E)(exe|ade|adp|bas|bat|chm|cmd|cpl|hlp|hta|inf|ins|isp|img|js|jse|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|mim|b64|bhx|hqx|xxe|uu|uue)"/
>
>
> REJECT Sorry, we do not accept .${4} file type.
>
> /^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.exe)"/
> REJECT Sorry, we do not accept double extension .${3} file type.
>
> /^Content-(Type|Disposition):.*(file)?name=.*\.([a-z]+\.img)"/
> WARN Sorry, we do not accept double extension file type img.
Sorry, these patterns don't work. Use the header_checks manpage
example instead.
Wietse
>
> W dniu 27.02.2023 o 15:56, Wietse Venema pisze:
> > natan:
> >> Hi
> >> I gat many many e-mails with virus and double exstension like:
> >> *.jpg.img
> >> *.pdf.img
> >> *.*.img
> >>
> >> I try in header_checks.pcre
> >>
> > [broken regexp omitted]
> >> and not working
> > The following blocks a 'bad' extension before a 'good' one such
> > as 'name.exe.pdf'.
> >
> > 1) Take the example from the header_checks manpage
> >
> > 2) Insert ((\.|=2E)[a-z]+)? between vxd|ws[cfh]) and )(\?=)?"?\s*(;|$)/x
> >
> > 3) Replace $4 with $4$5
> >
> > A much simpler rule would block all double extensions (such as
> > 'name.pdf.jpg'), but I don't know if that would also block legitimate
> > mail.
> >
> > Wietse
>
> --
>
>
