MIME header checks matching

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

MIME header checks matching

Alex Regan
Hi,

I have a series of mime patterns to automatically reject file types
including com, bat, exe, etc. It appears one pattern is matching
incorrectly, and I could use some help making it more accurate. I
don't know if it's something yahoo is doing to their outgoing mail or
the result of this user's mail client.

It appears the question marks are not in the proper place? We'd like
to continue to permit PDF files, but obviously reject com, not the
icloud.com that appears to be part of it.

Jun 14 05:07:13 mail01 postfix/cleanup[1177]: F3AF86800C808: reject:
header Content-Type: application/pdf;??name="Prelim
14.06.17.pdf";??x-apple-part-url="[hidden email]"
from nm3-vm6.bullet.mail.ne1.yahoo.com[98.138.91.96];
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<nm3-vm6.bullet.mail.ne1.yahoo.com>: 5.7.1 content8

/^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.com"?;?$/
REJECT content8

Thanks,
Alex
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: MIME header checks matching

Noel Jones-2
On 6/14/2017 7:16 AM, Alex wrote:

> Hi,
>
> I have a series of mime patterns to automatically reject file types
> including com, bat, exe, etc. It appears one pattern is matching
> incorrectly, and I could use some help making it more accurate. I
> don't know if it's something yahoo is doing to their outgoing mail or
> the result of this user's mail client.
>
> It appears the question marks are not in the proper place? We'd like
> to continue to permit PDF files, but obviously reject com, not the
> icloud.com that appears to be part of it.
>
> Jun 14 05:07:13 mail01 postfix/cleanup[1177]: F3AF86800C808: reject:
> header Content-Type: application/pdf;??name="Prelim
> 14.06.17.pdf";??x-apple-part-url="[hidden email]"
> from nm3-vm6.bullet.mail.ne1.yahoo.com[98.138.91.96];
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<nm3-vm6.bullet.mail.ne1.yahoo.com>: 5.7.1 content8
>
> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.com"?;?$/
> REJECT content8
>
> Thanks,
> Alex
>


Rather than try to debug your expression, I'll refer you to the nice
example on the header_checks man page.  That example was updated not
too long ago to fix a similar false positive.
http://www.postfix.org/header_checks.5.html


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: MIME header checks matching

Andreas Schamanek

On Wed, 14 Jun 2017, at 12:34, Noel Jones wrote:

> > I have a series of mime patterns to automatically reject file types
> > including com, bat, exe, etc. It appears one pattern is matching
> > incorrectly, ...
>
> Rather than try to debug your expression, I'll refer you to the nice
> example on the header_checks man page.  That example was updated not
> too long ago to fix a similar false positive.
> http://www.postfix.org/header_checks.5.html

BTW, I know it's just an example, but it's so wonderfully extensive
that I feel like suggesting to add the frequently abused `.jar` to the
regex.

--
-- Andreas

    :-)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: MIME header checks matching

Alex Regan
Hi,

On Wed, Jun 14, 2017 at 2:41 PM, Andreas Schamanek
<[hidden email]> wrote:

>
> On Wed, 14 Jun 2017, at 12:34, Noel Jones wrote:
>
>> > I have a series of mime patterns to automatically reject file types
>> > including com, bat, exe, etc. It appears one pattern is matching
>> > incorrectly, ...
>>
>> Rather than try to debug your expression, I'll refer you to the nice
>> example on the header_checks man page.  That example was updated not
>> too long ago to fix a similar false positive.
>> http://www.postfix.org/header_checks.5.html
>
> BTW, I know it's just an example, but it's so wonderfully extensive
> that I feel like suggesting to add the frequently abused `.jar` to the
> regex.

Thanks very much for this. I've started with the example in
header_checks and expanded it further to include a few other
extensions like jar and dotm.
Loading...