Amavisd File filetering issue


I have some issues with the simple task of banning some file types in AmaVis-New and I just cannot figure out why it is not working the way it should. Basically, I want to completly block RAR and ZIP files. However, they still come through even though I did specify them in the "Blocked Everywhere" section. I just cannot figure out why they are still coming in. I think I probably miss something simple, but I searched everywhere, and I just get the simply outline on how to specify it in the config. However, in my case all is specified, but it just does not work. Everything else does work and running AmaVis in debug mode does not show any errors. So I guess I have some issue where I maybe specified the ban wrong. I have posted the excerpt of the config that is dealing with the file banning below. Maybe I am missing something. I really appreciate any comment or assistance on this.

$banned_filename_re = new_RE(

  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
  qr'^\.(zip|rar)$',              # banned file(1) types
  qr'^\.(docm|arc|jar)$',              # banned file(1) types

# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
  qr'^\.zip$',                            # block zip type

# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

  qr'^application/x-msdownload$'i,        # block these MIME types

# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
# qr'^\.wmf$',                            # Windows Metafile file(1) type

  # block certain double extensions in filenames

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose

# qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
        wmf|wsc|wsf|wsh|rar|zip)$'ix,                # banned extensions - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
# qr'^\.ani$',                            # banned animated cursor file(1) type
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
# See;EN-US;q262631
# and
Who is Participating?
nociConnect With a Mentor Software EngineerCommented:
In your config there is a typo in an address ....\@$@...  should be  ...\@...
Also the policy banks are misused (just one for incoming & outgoing?)
Named outgoing and set up for outgoing (Thus disabling checking for attachments, assuming all inside systems behave sane).
nociSoftware EngineerCommented:
Do the allowed files have capital characters? .ZIP .ZiP etc.?

this may match qr'^\.(zip)$'i

you missed the i (option for ignore case...)
ThomasPartnerAuthor Commented:
Thanks for your reply. This is a good point but they come trugh both in capital and lower. For example this morning I got this below with a file called "" attached and of course it contains some scam. According to the settings these should be blocked. However I added the case switch to make sure.

qr'^\.(zip|rar)$'ix,              # banned file(1) types

lets see if this make a difference.

Here is the message I got. It was marked as spam but not because of the file.

From - Thu Aug 25 02:06:41 2016
X-Account-Key: account2
X-UIDL: 00089ab2500cd30f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <>
Received: from localhost (localhost [])
      by (Postfix) with ESMTP id BFB166201D4;
      Wed, 24 Aug 2016 13:57:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: YES
X-Spam-Score: 8.179
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.179 tagged_above=-9999 required=5
      tests=[BAYES_95=3, DCC_CHECK=2.9, RDNS_NONE=1.5, SPF_NEUTRAL=0.779]
 *  0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
 *  3.0 BAYES_95 BODY: Bayes spam probability is 95 to 99%
 *      [score: 0.9849]
 *  2.9 DCC_CHECK Detected as bulk mail by DCC (
 *  1.5 RDNS_NONE Delivered to internal network by a host with no rDNS
Received: from ([])
      by localhost ( []) (amavisd-new, port 10024)
      with ESMTP id Dk3f2mx1gHsa; Wed, 24 Aug 2016 13:57:20 -0400 (EDT)
Received: from [] (unknown [])
      by (Postfix) with ESMTP id 277D1621780
      for <>; Wed, 24 Aug 2016 13:57:17 -0400 (EDT)
To: "admin" <>
Subject: ***SPAM***(8.179)*** Contract
Date: Wed, 24 Aug 2016 22:57:09 +0500
From: "Trent Nash" <>
Message-ID: <>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/related;

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable


Please sign the attached contract with our technical service company for =
2016 =96 2017.
We would appreciate your quick response.

King regards,
Trent Nash

(Digital-Signature: ee203804aa27e12c610bbfe86e4dccb896b4f5bd266c)

Content-Type: application/x-zip-compressed; name=""
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=""
Never miss a deadline with

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

nociSoftware EngineerCommented:
No this would have matched anyway, i am not sure if further testing is still done in amavis when it already is declared spam, i need to check the code/docs for that and time is rather sparse at the moment in a few week i can look into it...
ThomasPartnerAuthor Commented:
Thanks, however also emails that are not clasified as spam have still zip attachments. Mostly in lowe case.

I also ensured that
$final_banned_destiny     = D_DISCARD;
is set and bypass options are commented out. Its really strange.
nociSoftware EngineerCommented:
You may get a bit more info by running amavis in debug mode.

What are your settings in the final_destination_by_ccat
If CC_BANNED is D_DISCARD, but spam is not if classified as SPAM it should follow CC_SPAM.

The orther thing you can do is defang_banned, which should pass on "spam mail" but only with banned content removed.
and you don't want to search through .zips anyway you may want to disable disecting the .zip file by uncommenting the entry in @decoders
ThomasPartnerAuthor Commented:
Hi, Thank you very much for the info.
While thinking about this it might be that it does not ban the attachment of non spam and spammy. Which could be why it goes trough. but this would define the whole banning purpose.
Since you where interested in the settings I send you a message with the config. If you have any ideas for me I would be very happy. This is giving me Gray hair
ThomasPartnerAuthor Commented:
Thank you very much for the assistance. It was very helpfull. After looking it all makes sense. Still have to figure out to seperate the 2 polecies but I will figure it out. Thank you for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.