anomy-list

Re: File exclusion question : Somecompany.com.doc

From: Kevin Shanahan (112409@xyz.molar.is)
Date: Wed 28 Jan 2004 - 01:02:32 GMT

  • Next message: Peter Mueller: "RE: File exclusion question : Somecompany.com.doc"

    On Wed, 2004-01-28 at 10:46, Derrick Webber wrote:
    > Kevin Shanahan wrote:
    > > On Wed, 2004-01-28 at 08:12, Peter Mueller wrote:
    > >
    > >>"Somecompany.com.doc" got DEFANGED. I want to allow it through. What would
    > >>I have to change?
    > >
    > > ...
    > >
    > >>file_list_1 += |url|exe|ws[cfh]|ops|com|prx))\s*
    > >
    > > ...
    > >
    > >>file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
    > >
    > >
    > > I suggest ending both file list regex with \s*$ to make sure you're
    > > matching against the end of the file name.
    > >
    >
    > If the recipients use MS Outlook or Outlook Express, it's dangerous to
    > filter attachments based only on last file extension. See
    > http://www.clearswift.com/support/threatlab/docs/extensionthreats.aspx

    Thanks for the tip, I didn't know about that.

    To the original poster then, I suggest just adding the "\s*$" to the end
    of file_list_2. Then your first rule will still catch dangerous "middle
    extensions".

    Perhaps it's then also worthwhile to add a double and/or triple
    extension rule.

    Regards,
    Kevin.



    hosted by molar.is