At 06:01 PM 2/23/2004, en wrote:
>This may be better for procmail but if I wanted to flag an email with an
>attachment with double extensions what would be a good rule for this?
>Thanks
Generally speaking, SA isn't a particularly optimal tool for this. SA
doesn't parse attachment headers, and doing so via a rawbody rule isn't
possible in recent versions of SA.
Theoretically, a rule like one of these would work:
rawbody LOCAL_DOUBLE_EXTENSION /Content-Disposition\:
attachment\;filename=\s?\S*\.[a-z]{3}\.[a-z]{3}\"/i
header LOCAL_DOUBLE_EXTENSION_h Content-Disposition =~
/attachment\;filename=\s?\S*\.[a-z]{3}\.[a-z]{3}\"/i
However, in reality they don't... In order to prevent false positives, SA's
mime parser removes octet-stream sections from the email before any rules
are run, even rawbody.
And this behavior makes sense. After all, SA's purpose is to evaluate the
email to see if it's spam.. binary attachments aren't a part of it's
concerns. And it does prevent a lot of the rawbody rules from
false-alerting on messages with binary attachments.
If you need file-extension blocking, etc.. I'd recommend looking at
MailScanner. It's a very handy integration tool for SpamAssassin and virus
scanners. It's also got a "filename rules" feature, which by default
handles most double-extensions, and has a list of "safe" extensions that it
passes before doing the double-extension check. (ie: file.tar.gz is
perfectly safe, as is contacts.dec.txt).