|
List Info
Thread: amavisd-release / mbox quarantine
|
|
| amavisd-release / mbox quarantine |
 
Germany |
2007-08-23 10:52:56 |
Hello,
I've (first time) a false positive on outgoing mail
(signed employee health insurance reports) with following
ban-reason:
X-Amavis-Alert: BANNED, message contains part:
multipart/mixed |
application/octet-stream,.asc,EBNA0006 | .exe,UNKNOWN.001
Don't ask me where it gets that .exe information from it
doesn't appear
in the mime parts, however, I would like to release that
file to the
health insurance destination without modifying too much.
We are using a mbox quarantine ($QUARANTINEDIR =
'/var/spool/virus';)
Is there a way to release this from the mbox? Or should I go
for maildir style
in future (which means some rewriting of statistical
scripts).
Thanks in advance.
## detailed info:
ban pattern from amavisd.conf
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any
undecipherable components
qr'.[^.]*.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, #
double extension
# qr'..(exe|vbs|pif|scr|bat|cmd|com)$'i, #
banned extension - basic
qr'.[^.]*.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta
|inf|ins|isp|js|jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|
scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh)$'ix,
# banned extension - long
# qr'..(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension
- WinZip vulnerab.
# qr'^.(zip|lha|tnef|cab)$'i, #
banned file(1) types
qr'^.exe$'i, #
banned file(1) types
qr'^application/x-msdownload$'i, #
banned MIME types
qr'^application/x-msdos-program$'i,
# qr'^message/partial$'i, qr'^message/external-body$'i, #
block rfc2046
);
## mime types/filenames of banned e-mail:
Content-Type: Multipart/Mixed;
boundary="BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
EBNA0006.auf,348,20070823:1503
EBNA0006,5958,20070823:1503
Dateinr:=2024
--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
Content-Type: application/octet-stream; name=EBNA0006
Content-Disposition: attachment;
filename="EBNA0006"
Content-Transfer-Encoding: BASE64
--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
Content-Type: application/octet-stream; name=EBNA0006.AUF
Content-Disposition: attachment;
filename="EBNA0006.AUF"
Content-Transfer-Encoding: BASE64
--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv--
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: amavisd-release / mbox quarantine |
Germany |
2007-08-23 12:32:54 |
On Thu, Aug 23, 2007 at 05:52:33PM +0200, Robert Felber
wrote:
> ## mime types/filenames of banned e-mail:
>
> Content-Type: Multipart/Mixed;
boundary="BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
>
> --BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> EBNA0006.auf,348,20070823:1503
> EBNA0006,5958,20070823:1503
> Dateinr:=2024
>
> --BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
> Content-Type: application/octet-stream; name=EBNA0006
> Content-Disposition: attachment;
filename="EBNA0006"
> Content-Transfer-Encoding: BASE64
>
> --BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
> Content-Type: application/octet-stream;
name=EBNA0006.AUF
> Content-Disposition: attachment;
filename="EBNA0006.AUF"
> Content-Transfer-Encoding: BASE64
>
> --BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv--
I thought, that may be a file(1) issue, but file(1) says:
EBNA0006: ASCII text, with CRLF line terminators
EBNA0006.AUF: ASCII text, with very long lines, with no line
terminators
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: amavisd-release / mbox quarantine |
 
Slovenia |
2007-08-23 12:41:52 |
Robert,
> X-Amavis-Alert: BANNED, message contains part:
multipart/mixed |
> application/octet-stream,.asc,EBNA0006 |
.exe,UNKNOWN.001
>
> Don't ask me where it gets that .exe information from
it doesn't appear
> in the mime parts
> I thought, that may be a file(1) issue, but file(1)
says:
> EBNA0006: ASCII text, with CRLF line terminators
> EBNA0006.AUF: ASCII text, with very long lines, with no
line terminators
The EBNA0006 mime part is somehow decoded by uudecode (quite
likely
unwarrantedly), resulting in a file UNKNOWN.001, which when
qualified by a file(1) utily results in a '.exe' short file
type.
> however, I would like to release that file to the
> health insurance destination without modifying too
much.
> We are using a mbox quarantine ($QUARANTINEDIR =
'/var/spool/virus';)
> Is there a way to release this from the mbox? Or should
I go for maildir
> style in future (which means some rewriting of
statistical scripts).
amavisd (with amavisd-release) is unable to release from a
mbox
style quarantine, you will need to do it manually.
A maildir style or a SQL quarantine would be a better
choice.
Mark
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: amavisd-release / mbox quarantine |
Germany |
2007-08-23 13:13:24 |
On Thu, Aug 23, 2007 at 07:41:29PM +0200, Mark Martinec
wrote:
> Robert,
>
> > X-Amavis-Alert: BANNED, message contains part:
multipart/mixed |
> > application/octet-stream,.asc,EBNA0006 |
.exe,UNKNOWN.001
> >
> > Don't ask me where it gets that .exe information
from it doesn't appear
> > in the mime parts
>
> > I thought, that may be a file(1) issue, but
file(1) says:
> > EBNA0006: ASCII text, with CRLF line terminators
> > EBNA0006.AUF: ASCII text, with very long lines,
with no line terminators
>
> The EBNA0006 mime part is somehow decoded by uudecode
(quite likely
> unwarrantedly), resulting in a file UNKNOWN.001, which
when
> qualified by a file(1) utily results in a '.exe' short
file type.
Apparently not encoded:
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,ENCRYPTED
Content-Domain: RFC822
DEK-Info: DES-CBC,F4DAB4DD9E8B062B
Originator-Certificate:
following Originator certs, issuer certs, key info,
MIC-info, encrypted body.
The "funny" thing, only the mail for this
insurance
destination has been banned, other destinations went
through
fine (and in the past reports for this insurance destination
went through, too).
Unfortunately I cannot supply everything due to privacy and
security reasons.
A sender-recipient policy seems not good (read: politically
correct) either.
Hm.
(notice: the reporting software utilizes DAKOTA which is an
official reporting
application between companies and health/social insurances
in germany)
Since 2006 it is the only way for companies to send data to
health/social
insurances.
more info: http://de.wikipe
dia.org/wiki/Dakota_(Programm)
Unfortunately I haven't found any english information :-(
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: amavisd-release / mbox quarantine |
Germany |
2007-08-23 13:30:47 |
On Thu, Aug 23, 2007 at 08:13:01PM +0200, Robert Felber
wrote:
> On Thu, Aug 23, 2007 at 07:41:29PM +0200, Mark Martinec
wrote:
> > Robert,
> >
> > > X-Amavis-Alert: BANNED, message contains
part: multipart/mixed |
> > > application/octet-stream,.asc,EBNA0006 |
.exe,UNKNOWN.001
> > >
> > > Don't ask me where it gets that .exe
information from it doesn't appear
> > > in the mime parts
> >
> > > I thought, that may be a file(1) issue, but
file(1) says:
> > > EBNA0006: ASCII text, with CRLF line
terminators
> > > EBNA0006.AUF: ASCII text, with very long
lines, with no line terminators
> >
> > The EBNA0006 mime part is somehow decoded by
uudecode (quite likely
> > unwarrantedly), resulting in a file UNKNOWN.001,
which when
> > qualified by a file(1) utily results in a '.exe'
short file type.
>
> Apparently not encoded:
Err, you mean it gets decoded and then on to file(1)?
Got it, sorry.
I know now where I have to look to understand/debug it in
order to
reproduce it.
(I am afraid I will not find a solution myseld to prevent
that in
future, though)
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
| Re: amavisd-release / mbox quarantine |
Slovenia |
2007-08-24 17:32:57 |
Robert,
> Err, you mean it gets decoded and then on to file(1)?
Yes, sorry for not being clear.
> I know now where I have to look to understand/debug it
in order to
> reproduce it.
>
> (I am afraid I will not find a solution myseld to
prevent that in
> future, though)
It may be tough to fix such problem once and for all.
Both the uulib library (wrapped within a Convert::UUlib
module),
and the file(1) utility have their history of
misbehaviours.
Sometimes uulib thinks it recognizes a format and in an
attempt
to decode some text produces a mess. Or the file(1) utility
misclassifies some clutter.
Try to repeat the decoding steps manually (often a
command-line
tool uudeview that comes with uulib can be used with same
results).
Or set temporarily:
keep_decoded_original_maps = (1);
debug_sender_maps = ( ['testsenderexample.com'] );
When a mail comes from a sender matching debug_sender_maps,
full debugging will be turned on for this message, and
temporary files in $TEMPBASE (e.g. under /var/amavis/tmp/ )
will not be deleted, making them available for examination.
Mark
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/
|
|
[1-6]
|
|