On Wed, 2004-01-28 at 10:46, Derrick Webber wrote:
> Kevin Shanahan wrote:
> > On Wed, 2004-01-28 at 08:12, Peter Mueller wrote:
> >
> >>"Somecompany.com.doc" got DEFANGED. I want to allow it through. What would
> >>I have to change?
> >
> > ...
> >
> >>file_list_1 += |url|exe|ws[cfh]|ops|com|prx))\s*
> >
> > ...
> >
> >>file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
> >
> >
> > I suggest ending both file list regex with \s*$ to make sure you're
> > matching against the end of the file name.
> >
>
> If the recipients use MS Outlook or Outlook Express, it's dangerous to
> filter attachments based only on last file extension. See
> http://www.clearswift.com/support/threatlab/docs/extensionthreats.aspx
Thanks for the tip, I didn't know about that.
To the original poster then, I suggest just adding the "\s*$" to the end
of file_list_2. Then your first rule will still catch dangerous "middle
extensions".
Perhaps it's then also worthwhile to add a double and/or triple
extension rule.
Regards,
Kevin.