Solved

Amavisd File filetering issue

Posted on 2016-08-23
8
221 Views
Last Modified: 2016-09-05
Hi,

I have some issues with the simple task of banning some file types in AmaVis-New and I just cannot figure out why it is not working the way it should. Basically, I want to completly block RAR and ZIP files. However, they still come through even though I did specify them in the "Blocked Everywhere" section. I just cannot figure out why they are still coming in. I think I probably miss something simple, but I searched everywhere, and I just get the simply outline on how to specify it in the config. However, in my case all is specified, but it just does not work. Everything else does work and running AmaVis in debug mode does not show any errors. So I guess I have some issue where I maybe specified the ban wrong. I have posted the excerpt of the config that is dealing with the file banning below. Maybe I am missing something. I really appreciate any comment or assistance on this.

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
  qr'^\.(zip|rar)$',              # banned file(1) types
  qr'^\.(docm|arc|jar)$',              # banned file(1) types

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
  qr'^\.zip$',                            # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
# qr'^\.wmf$',                            # Windows Metafile file(1) type

  # block certain double extensions in filenames
  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose

# qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
        inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
        msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
        wmf|wsc|wsf|wsh|rar|zip)$'ix,                # banned extensions - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
# qr'^\.ani$',                            # banned animated cursor file(1) type
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
0
Comment
Question by:Thomanji
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 40

Expert Comment

by:noci
ID: 41769367
Do the allowed files have capital characters? .ZIP .ZiP etc.?

this may match qr'^\.(zip)$'i

you missed the i (option for ignore case...)
0
 

Author Comment

by:Thomanji
ID: 41769714
Hi
Thanks for your reply. This is a good point but they come trugh both in capital and lower. For example this morning I got this below with a file called "8e3ca97dad.zip" attached and of course it contains some scam. According to the settings these should be blocked. However I added the case switch to make sure.

qr'^\.(zip|rar)$'ix,              # banned file(1) types

lets see if this make a difference.

Here is the message I got. It was marked as spam but not because of the file.

From - Thu Aug 25 02:06:41 2016
X-Account-Key: account2
X-UIDL: 00089ab2500cd30f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                
Return-Path: <Nash.245@aboutgozo.com>
X-Original-To: dmni-info@mailapp.dmni.net
Delivered-To: dmni-info@mailapp.dmni.net
Received: from localhost (localhost [127.0.0.1])
      by mailapp.dmni.net (Postfix) with ESMTP id BFB166201D4;
      Wed, 24 Aug 2016 13:57:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mailapp.dmni.net
X-Spam-Flag: YES
X-Spam-Score: 8.179
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.179 tagged_above=-9999 required=5
      tests=[BAYES_95=3, DCC_CHECK=2.9, RDNS_NONE=1.5, SPF_NEUTRAL=0.779]
      autolearn=no
X-Spam-Report:
 *  0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
 *  3.0 BAYES_95 BODY: Bayes spam probability is 95 to 99%
 *      [score: 0.9849]
 *  2.9 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
 *  1.5 RDNS_NONE Delivered to internal network by a host with no rDNS
Received: from mailapp.dmni.net ([10.0.73.154])
      by localhost (mailapp.dmni.net [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id Dk3f2mx1gHsa; Wed, 24 Aug 2016 13:57:20 -0400 (EDT)
Received: from [39.33.0.34] (unknown [39.33.71.157])
      by mailapp.dmni.net (Postfix) with ESMTP id 277D1621780
      for <admin@happywater.my>; Wed, 24 Aug 2016 13:57:17 -0400 (EDT)
To: "admin" <admin@happywater.my>
Subject: ***SPAM***(8.179)*** Contract
Date: Wed, 24 Aug 2016 22:57:09 +0500
From: "Trent Nash" <Nash.245@aboutgozo.com>
Message-ID: <b9521bd4c0694834ad9d068df3dc3cba@happywater.my>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/related;
      type="text/html";
      boundary="b1_d6f0f5eb07afc6146da1b1c77103d38e"

--b1_d6f0f5eb07afc6146da1b1c77103d38e
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

Please sign the attached contract with our technical service company for =
2016 =96 2017.
We would appreciate your quick response.


King regards,
Trent Nash

(Digital-Signature: ee203804aa27e12c610bbfe86e4dccb896b4f5bd266c)

--b1_d6f0f5eb07afc6146da1b1c77103d38e
Content-Type: application/x-zip-compressed; name="8e3ca97dad.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="8e3ca97dad.zip"
0
 
LVL 40

Expert Comment

by:noci
ID: 41770632
No this would have matched anyway, i am not sure if further testing is still done in amavis when it already is declared spam, i need to check the code/docs for that and time is rather sparse at the moment in a few week i can look into it...
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:Thomanji
ID: 41771282
Thanks, however also emails that are not clasified as spam have still zip attachments. Mostly in lowe case.

I also ensured that
$final_banned_destiny     = D_DISCARD;
is set and bypass options are commented out. Its really strange.
0
 
LVL 40

Expert Comment

by:noci
ID: 41771360
You may get a bit more info by running amavis in debug mode.

What are your settings in the final_destination_by_ccat
If CC_BANNED is D_DISCARD, but spam is not if classified as SPAM it should follow CC_SPAM.

The orther thing you can do is defang_banned, which should pass on "spam mail" but only with banned content removed.
and you don't want to search through .zips anyway you may want to disable disecting the .zip file by uncommenting the entry in @decoders
0
 

Author Comment

by:Thomanji
ID: 41774761
Hi, Thank you very much for the info.
While thinking about this it might be that it does not ban the attachment of non spam and spammy. Which could be why it goes trough. but this would define the whole banning purpose.
Since you where interested in the settings I send you a message with the config. If you have any ideas for me I would be very happy. This is giving me Gray hair
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 41777846
In your config there is a typo in an address ....\@$@...  should be  ...\@...
Also the policy banks are misused (just one for incoming & outgoing?)
Named outgoing and set up for outgoing (Thus disabling checking for attachments, assuming all inside systems behave sane).
0
 

Author Closing Comment

by:Thomanji
ID: 41784385
Thank you very much for the assistance. It was very helpfull. After looking it all makes sense. Still have to figure out to seperate the 2 polecies but I will figure it out. Thank you for your help.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question