I posted this a while back, but we still haven't seen an answer.
Other than allowing .com extensions, is it possible to look at filename
instead of Content-ID for defanging?
Embedded images are put in like:
email@example.com, and the header also includes a filename
of image.gif or image.jpg.
Presently, the .com is detected as a filename, and subsequently dropped.
I'm considering a rule which looks for .com, but excludes *@*.com, but doing
that concerns me as well since it won't be long before someone exploits that
-- Rick Johnson, RHCE #807302311706007 - firstname.lastname@example.org Linux/Network Administrator - Medata, Inc. PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc