Solved

Amavisd File filetering issue

Posted on 2016-08-23
8
122 Views
Last Modified: 2016-09-05
Hi,

I have some issues with the simple task of banning some file types in AmaVis-New and I just cannot figure out why it is not working the way it should. Basically, I want to completly block RAR and ZIP files. However, they still come through even though I did specify them in the "Blocked Everywhere" section. I just cannot figure out why they are still coming in. I think I probably miss something simple, but I searched everywhere, and I just get the simply outline on how to specify it in the config. However, in my case all is specified, but it just does not work. Everything else does work and running AmaVis in debug mode does not show any errors. So I guess I have some issue where I maybe specified the ban wrong. I have posted the excerpt of the config that is dealing with the file banning below. Maybe I am missing something. I really appreciate any comment or assistance on this.

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
  qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
  qr'^\.(zip|rar)$',              # banned file(1) types
  qr'^\.(docm|arc|jar)$',              # banned file(1) types

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
  qr'^\.zip$',                            # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

  qr'^application/x-msdownload$'i,        # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
# qr'^\.wmf$',                            # Windows Metafile file(1) type

  # block certain double extensions in filenames
  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose

# qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
        inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
        msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
        wmf|wsc|wsf|wsh|rar|zip)$'ix,                # banned extensions - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
# qr'^\.ani$',                            # banned animated cursor file(1) type
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
0
Comment
Question by:Thomanji
  • 4
  • 4
8 Comments
 
LVL 39

Expert Comment

by:noci
ID: 41769367
Do the allowed files have capital characters? .ZIP .ZiP etc.?

this may match qr'^\.(zip)$'i

you missed the i (option for ignore case...)
0
 

Author Comment

by:Thomanji
ID: 41769714
Hi
Thanks for your reply. This is a good point but they come trugh both in capital and lower. For example this morning I got this below with a file called "8e3ca97dad.zip" attached and of course it contains some scam. According to the settings these should be blocked. However I added the case switch to make sure.

qr'^\.(zip|rar)$'ix,              # banned file(1) types

lets see if this make a difference.

Here is the message I got. It was marked as spam but not because of the file.

From - Thu Aug 25 02:06:41 2016
X-Account-Key: account2
X-UIDL: 00089ab2500cd30f
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                
Return-Path: <Nash.245@aboutgozo.com>
X-Original-To: dmni-info@mailapp.dmni.net
Delivered-To: dmni-info@mailapp.dmni.net
Received: from localhost (localhost [127.0.0.1])
      by mailapp.dmni.net (Postfix) with ESMTP id BFB166201D4;
      Wed, 24 Aug 2016 13:57:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mailapp.dmni.net
X-Spam-Flag: YES
X-Spam-Score: 8.179
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.179 tagged_above=-9999 required=5
      tests=[BAYES_95=3, DCC_CHECK=2.9, RDNS_NONE=1.5, SPF_NEUTRAL=0.779]
      autolearn=no
X-Spam-Report:
 *  0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
 *  3.0 BAYES_95 BODY: Bayes spam probability is 95 to 99%
 *      [score: 0.9849]
 *  2.9 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
 *  1.5 RDNS_NONE Delivered to internal network by a host with no rDNS
Received: from mailapp.dmni.net ([10.0.73.154])
      by localhost (mailapp.dmni.net [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id Dk3f2mx1gHsa; Wed, 24 Aug 2016 13:57:20 -0400 (EDT)
Received: from [39.33.0.34] (unknown [39.33.71.157])
      by mailapp.dmni.net (Postfix) with ESMTP id 277D1621780
      for <admin@happywater.my>; Wed, 24 Aug 2016 13:57:17 -0400 (EDT)
To: "admin" <admin@happywater.my>
Subject: ***SPAM***(8.179)*** Contract
Date: Wed, 24 Aug 2016 22:57:09 +0500
From: "Trent Nash" <Nash.245@aboutgozo.com>
Message-ID: <b9521bd4c0694834ad9d068df3dc3cba@happywater.my>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/related;
      type="text/html";
      boundary="b1_d6f0f5eb07afc6146da1b1c77103d38e"

--b1_d6f0f5eb07afc6146da1b1c77103d38e
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

Please sign the attached contract with our technical service company for =
2016 =96 2017.
We would appreciate your quick response.


King regards,
Trent Nash

(Digital-Signature: ee203804aa27e12c610bbfe86e4dccb896b4f5bd266c)

--b1_d6f0f5eb07afc6146da1b1c77103d38e
Content-Type: application/x-zip-compressed; name="8e3ca97dad.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="8e3ca97dad.zip"
0
 
LVL 39

Expert Comment

by:noci
ID: 41770632
No this would have matched anyway, i am not sure if further testing is still done in amavis when it already is declared spam, i need to check the code/docs for that and time is rather sparse at the moment in a few week i can look into it...
0
 

Author Comment

by:Thomanji
ID: 41771282
Thanks, however also emails that are not clasified as spam have still zip attachments. Mostly in lowe case.

I also ensured that
$final_banned_destiny     = D_DISCARD;
is set and bypass options are commented out. Its really strange.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 39

Expert Comment

by:noci
ID: 41771360
You may get a bit more info by running amavis in debug mode.

What are your settings in the final_destination_by_ccat
If CC_BANNED is D_DISCARD, but spam is not if classified as SPAM it should follow CC_SPAM.

The orther thing you can do is defang_banned, which should pass on "spam mail" but only with banned content removed.
and you don't want to search through .zips anyway you may want to disable disecting the .zip file by uncommenting the entry in @decoders
0
 

Author Comment

by:Thomanji
ID: 41774761
Hi, Thank you very much for the info.
While thinking about this it might be that it does not ban the attachment of non spam and spammy. Which could be why it goes trough. but this would define the whole banning purpose.
Since you where interested in the settings I send you a message with the config. If you have any ideas for me I would be very happy. This is giving me Gray hair
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
ID: 41777846
In your config there is a typo in an address ....\@$@...  should be  ...\@...
Also the policy banks are misused (just one for incoming & outgoing?)
Named outgoing and set up for outgoing (Thus disabling checking for attachments, assuming all inside systems behave sane).
0
 

Author Closing Comment

by:Thomanji
ID: 41784385
Thank you very much for the assistance. It was very helpfull. After looking it all makes sense. Still have to figure out to seperate the 2 polecies but I will figure it out. Thank you for your help.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now