Mercury Suggestions
Need attachement extension filter to detect files with .xxx.xxx extensions

You're welcome. Nice to hear it is working now.

 Jyrki 

<p>You're welcome. Nice to hear it is working now.</p><p> <span style="font-size: 10pt;">Jyrki </span></p>

A recent rash of malware files disguised as .doc.wsf attachments has me posting in the hopes that the file extension detection capability in Mercury global filtering can be fixed so that the final .xxx is what the filter looks at.  As it stands now, placing "wsf" in an Attachment rule that checks only the extension portion will fail if there is an extra "." in the filename.  The same holds true for .xxx.zip when "zip" is in the same type of rule.  A workaround is to use an expression like "*.zip" and "*.wsf" to detect these attachments however doing this to block every executable extension is not practical.

Thanks for the consideration.

 

<p>A recent rash of malware files disguised as .doc.wsf attachments has me posting in the hopes that the file extension detection capability in Mercury global filtering can be fixed so that the final .xxx is what the filter looks at.  As it stands now, placing "wsf" in an Attachment rule that checks only the extension portion will fail if there is an extra "." in the filename.  The same holds true for .xxx.zip when "zip" is in the same type of rule.  A workaround is to use an expression like "*.zip" and "*.wsf" to detect these attachments however doing this to block every executable extension is not practical.</p><p>Thanks for the consideration.</p><p> </p>

Hi!

 Is there any valid use  of double extensions? I think you can use regular expression *.*.*

Regards Jyrki 

<p>Hi!</p><p> Is there any valid use <span style="font-size: 10pt;"> of double extensions? I think you can use regular expression *.*.*</span></p><p>Regards Jyrki </p>

Unfortunately it is not uncommon for me to receive invoices from subcontractors with filenames such as "White Mt. School.doc" and "Black Elem. Job.pdf".

Unfortunately it is not uncommon for me to receive invoices from subcontractors with filenames such as "White Mt. School.doc" and "Black Elem. Job.pdf".


How about using exception rule for common document formats (*.doc, *.pdf, *.xls ...), to override *.*.* - rule?
 
 
Jyrki
<div> </div><div>How about using exception rule for common document formats (*.doc, *.pdf, *.xls ...), to override *.*.* - rule?</div><div> <img width="19" height="19" border="0" style="font-size: 10pt;" mce_src="http://community.pmail.com/emoticons/emotion-1.gif" src="http://community.pmail.com/emoticons/emotion-1.gif"></div><div> </div><div>Jyrki</div>

I appreciate your attempt to help but know that there are workarounds.  My point is that the existing attachment extension detection does not work as expected when there is more than one dot in the filename.

I appreciate your attempt to help but know that there are workarounds.  My point is that the existing attachment extension detection does not work as expected when there is more than one dot in the filename.

Sorry if I don't understand this correctly, but just tested this with global rule:

 If attachment ExtnPart lists "zip,tmp,dat" Dialog "FileFilter!!!

 with files  "aaa.wrk.dat", "aaa.wrk.tmp", and "aaa.wrk.zip", and that rule catched all these.

 Regards Jyrki

<p>Sorry if I don't understand this correctly, but just tested this with global rule:</p><p> If attachment ExtnPart lists "zip,tmp,dat" Dialog "FileFilter!!!</p><p> with files <span style="font-size: 10pt;"> "aaa.wrk.dat", "aaa.wrk.tmp", and "aaa.wrk.zip", and that rule catched all these.</span></p><p> Regards <span style="font-size: 10pt;">Jyrki</span></p>

You understand correctly.  So, the question now is why yours work and mine don't.

 From my RULES.MER file:

If attachment ExtnPart lists "bgf,bat,chm,cmd,com,cpl,crt,dll,exe,hlp,hta,inf,ins" DeleteAttmt ""
If attachment ExtnPart lists "msi,msp,nws,ops,.ocx,pcd,pif,prf,reg,scf,scr,sct,shb,shm" DeleteAttmt ""
If attachment ExtnPart lists "shs,url,vb,vbe,vbs,vbx,vxd,wsc,wsf,wsh" DeleteAttmt ""
If attachment ExtnPart lists "ws,bas,ade,adp,asp,hta" DeleteAttmt ""
If attachment ExtnPart lists "zip,lnk,mde,mdb,msc,pps,vbp" DeleteAttmt ""

Attachments with filenames like xxxx.doc.wsf and xxxx.pdf.zip come through but attachment filenames of xxxx.wsf and xxxx.zip are deleted.

Maybe I need to start a discussion on the support forum.

<p>You understand correctly.  So, the question now is why yours work and mine don't.</p><p> From my RULES.MER file:</p><p><i>If attachment ExtnPart lists "bgf,bat,chm,cmd,com,cpl,crt,dll,exe,hlp,hta,inf,ins" DeleteAttmt "" If attachment ExtnPart lists "msi,msp,nws,ops,.ocx,pcd,pif,prf,reg,scf,scr,sct,shb,shm" DeleteAttmt "" If attachment ExtnPart lists "shs,url,vb,vbe,vbs,vbx,vxd,wsc,wsf,wsh" DeleteAttmt "" If attachment ExtnPart lists "ws,bas,ade,adp,asp,hta" DeleteAttmt "" If attachment ExtnPart lists "zip,lnk,mde,mdb,msc,pps,vbp" DeleteAttmt ""</i></p><p>Attachments with filenames like xxxx.doc.wsf and xxxx.pdf.zip come through but attachment filenames of xxxx.wsf and xxxx.zip are deleted.</p><p>Maybe I need to start a discussion on the support forum. </p>

FYI, pasted all these rules to our rules.mer - file, modified wsf to wsk, and tested with aaa.wrk.wsk (can't use .wsf, because our Exchange antivirus), and attachment was deleted. So, working OK here.

:) 

Mercury version is 4.8. 

Jyrki 

<p>FYI, pasted all these rules to our rules.mer - file, modified wsf to wsk, and tested with aaa.wrk.wsk (can't use .wsf, because our Exchange antivirus), and attachment was deleted. So, working OK here.</p><p>:) </p><p>Mercury version is 4.8. </p><p>Jyrki </p>

I'm pretty certain it's not my rule logic because when I add an expression rule to detect *.*.* immediately following the ExtnPart rules the double dot attachments get deleted.  Wonder what else is playing a role in this.

Mercury v4.80 here as well.

 

<p>I'm pretty certain it's not my rule logic because when I add an expression rule to detect *.*.* immediately following the ExtnPart rules the double dot attachments get deleted.  Wonder what else is playing a role in this. </p><p>Mercury v4.80 here as well.</p><p> </p>

It is now working.  Thank you Jyrki for testing.

I still can't explain how numerous xxxx.doc.wsf and xxxx.xxx.zip attachments came through or why the tests run prior to my post here had failed.  All of the messages that contained these attachments have been deleted so I can't analyze against my filters but I don't know as that would be helpful since my testing was the same yesterday as it was 10 days ago.


<p>It is now working.  Thank you Jyrki for testing.</p><p> I still can't explain how numerous xxxx.doc.wsf and xxxx.xxx.zip attachments came through or why the tests run prior to my post here had failed.  All of the messages that contained these attachments have been deleted so I can't analyze against my filters but I don't know as that would be helpful since my testing was the same yesterday as it was 10 days ago. </p><p> </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft