A recent rash of malware files disguised as .doc.wsf attachments has me posting in the hopes that the file extension detection capability in Mercury global filtering can be fixed so that the final .xxx is what the filter looks at. As it stands now, placing "wsf" in an Attachment rule that checks only the extension portion will fail if there is an extra "." in the filename. The same holds true for .xxx.zip when "zip" is in the same type of rule. A workaround is to use an expression like "*.zip" and "*.wsf" to detect these attachments however doing this to block every executable extension is not practical.
Thanks for the consideration.
Hi!
Is there any valid use of double extensions? I think you can use regular expression *.*.*
Regards Jyrki
Unfortunately it is not uncommon for me to receive invoices from subcontractors with filenames such as "White Mt. School.doc" and "Black Elem. Job.pdf".
I appreciate your attempt to help but know that there are workarounds. My point is that the existing attachment extension detection does not work as expected when there is more than one dot in the filename.
Sorry if I don't understand this correctly, but just tested this with global rule:
If attachment ExtnPart lists "zip,tmp,dat" Dialog "FileFilter!!!
with files "aaa.wrk.dat", "aaa.wrk.tmp", and "aaa.wrk.zip", and that rule catched all these.
Regards Jyrki
You understand correctly. So, the question now is why yours work and mine don't.
From my RULES.MER file:
If attachment ExtnPart lists "bgf,bat,chm,cmd,com,cpl,crt,dll,exe,hlp,hta,inf,ins" DeleteAttmt ""
If attachment ExtnPart lists "msi,msp,nws,ops,.ocx,pcd,pif,prf,reg,scf,scr,sct,shb,shm" DeleteAttmt ""
If attachment ExtnPart lists "shs,url,vb,vbe,vbs,vbx,vxd,wsc,wsf,wsh" DeleteAttmt ""
If attachment ExtnPart lists "ws,bas,ade,adp,asp,hta" DeleteAttmt ""
If attachment ExtnPart lists "zip,lnk,mde,mdb,msc,pps,vbp" DeleteAttmt ""
Attachments with filenames like xxxx.doc.wsf and xxxx.pdf.zip come through but attachment filenames of xxxx.wsf and xxxx.zip are deleted.
Maybe I need to start a discussion on the support forum.
FYI, pasted all these rules to our rules.mer - file, modified wsf to wsk, and tested with aaa.wrk.wsk (can't use .wsf, because our Exchange antivirus), and attachment was deleted. So, working OK here.
:)
Mercury version is 4.8.
Jyrki
I'm pretty certain it's not my rule logic because when I add an expression rule to detect *.*.* immediately following the ExtnPart rules the double dot attachments get deleted. Wonder what else is playing a role in this.
Mercury v4.80 here as well.
It is now working. Thank you Jyrki for testing.
I still can't explain how numerous xxxx.doc.wsf and xxxx.xxx.zip attachments came through or why the tests run prior to my post here had failed. All of the messages that contained these attachments have been deleted so I can't analyze against my filters but I don't know as that would be helpful since my testing was the same yesterday as it was 10 days ago.
Your previous draft for topic is pending
If you continue, your previous draft will be discarded.