|
List Info
Thread: winmail.dat attachments
|
|
| winmail.dat attachments |
 
United States |
2007-10-04 12:21:29 |
We're seeing an increasing problem with mail arriving with
a
"winmail.dat" attachment being blocked. These are
attachments that are
only generated by or understood by Outlook clients and/or
Exchange
servers. These files contain formatting information and
sometimes other
attachments in a compressed format.
The only fix for this that doesn't require some source code
hacking
would be to remove .dat from the list of banned attachments,
but this is
too risky. .dat files can contain nearly anything, including
registry
keys (see ntusers.dat), so allowing them through is too
risky. But right
now what happens is that messages with winmail.dat
attachments are
silently quarantined, and we are getting an increasing
number of
complaints from both remote senders and local recipients
about their
mail not going through. Yes, the mail can be rescued from
the banned
attachments cache, but not all our users are active
Mailguard users, and
there is no notification that a message has been blocked. In
any case,
it has been determined that the status quo of silently
quarantining
these messages is unacceptable and, like it or not, I have
to do
something about it.
First, is anybody else seeing these winmail.dat attachments?
Surely it's
not just us? Anybody have a solution better than those we
are
considering that I describe below?
We are considering a number of options. I don't really want
to turn on
recipient notifications (which can be done in amavisd.conf)
because the
volume of such notices is overwhelming and everybody either
complains
about them or ignores them. Using amavisd is better than
what we used to
have because we could notify only for banned attachments,
but I still
think the volume of such notices will be a problem.
It is possible to turn off the generation of the winmail.dat
attachment
in Outlook and in Exchange, but trying to coach remote users
to do this
has proved frustrating and unsatisfactory. We can't be the
e-mail client
consultant for everybody on the Internet who sends mail to
us.
I could hack amavisd-maia to send recipient notifications
only for
winmail.dat files, but that's both kludgy and hard to
maintain (any
future patches and updates would be more time consuming and
error prone
to apply). I could play some games with the banned filenames
map in
amavisd.conf to allow only winmail.dat attachments through
while
blocking other .dat files, but surely the attackers all know
about
winmail.dat by now, so this is too risky.
Other more creative ideas include modifications to the
database, to
amavisd-maia and to the PHP scripts that would allow users
to whitelist
senders solely for winmail.dat files, but that will be
extremely hard to
implement and maintain. Along the same lines, but much
easier although a
bit more risky, is to modify amavisd-maia so that
whitelisting a sender
also turns off banned attachment checks. That's the way I'm
leaning
right now; I wonder if such a feature would be generally
useful? To make
it generally useful would be more difficult because it would
require a
configuration option as to whether or not whitelisting would
include
banned attachment checks, so that the default behavior of
the system is
not changed unless it is done explicitly.
Anybody else seeing this problem or have any other
thoughts?
Thank you,
--Greg
_______________________________________________
Maia-users mailing list
Maia-users renaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| warnbannedrecip (was: winmail.dat
attachments) |
United States |
2007-10-04 17:09:13 |
On Thu, 2007-10-04 at 11:21 -0600, Greg Woods wrote:
> I don't really want to turn on
> recipient notifications (which can be done in
amavisd.conf) because the
> volume of such notices is overwhelming and everybody
either complains
> about them or ignores them.
We actually decided to try this anyway as a stopgap measure,
but I
cannot figure out how to make it work. I found a message in
the archives
dated July 5 2006 from Robert LeBlanc that indicated that
setting
"warnbannedrecip" to 1 in the amavisd.conf file
would work, but it
doesn't. My test message with a .exe attachment is still
quarantined,
but no notification is sent.
Is this one of those features that has been ripped out of
amavisd-new
when it was converted to amavisd-maia, or is there something
more I need
to do to make this work? It looks like it might be, because
when I set
log_level=5 and run a test, this is part of what gets
logged:
Oct 4 15:58:46 nscan1 amavis[24498]: (24498-01)
lookup_sql_field(warnbannedrecip), no field, "woodsnscan1.ucar.edu"
result=undef
Oct 4 15:58:46 nscan1 last message repeated 2 times
Oct 4 15:58:46 nscan1 amavis[24498]: (24498-01) lookup:
(scalar)
matches, result="0"
Oct 4 15:58:46 nscan1 amavis[24498]: (24498-01) lookup
(warnbannedrecip) => false, "woodsnscan1.ucar.edu" matches, result="0",
matching_key="(constant:0)"
It looks very much like the setting in amavisd.conf really
has no effect
and that it is looking for something in the database. Is
there something
I can set in the database that will make this work?
I am using
# $Id: amavisd-maia 999 2006-04-06 17:29:01Z dmorton $
Thanks,
--Greg
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: warnbannedrecip (was: winmail.dat
attachments) |
United States |
2007-10-05 11:40:53 |
On Thu, 2007-10-04 at 16:09 -0600, Greg Woods wrote:
> Is this one of those features that has been ripped out
of amavisd-new
> when it was converted to amavisd-maia, or is there
something more I need
> to do to make this work? It looks like it might be,
because when I set
> log_level=5 and run a test, this is part of what gets
logged:
>
> Oct 4 15:58:46 nscan1 amavis[24498]: (24498-01)
> lookup_sql_field(warnbannedrecip), no field,
"woodsnscan1.ucar.edu"
> result=undef
> Oct 4 15:58:46 nscan1 last message repeated 2 times
> Oct 4 15:58:46 nscan1 amavis[24498]: (24498-01)
lookup: (scalar)
> matches, result="0"
> Oct 4 15:58:46 nscan1 amavis[24498]: (24498-01)
lookup
> (warnbannedrecip) => false, "woodsnscan1.ucar.edu" matches, result="0",
> matching_key="(constant:0)"
OK, I went in and applied a kludge patch in amavisd such
that the
lookup_sql_field routine always returns 1 if the field is
"warnbannedrecip". This is an ugly hack which is
only intended for
temporary use. It "seems" to work:
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
lookup_sql_field(warnbannedrecip), warnbannedrecip set to
1,
"woodsnscan1.ucar.edu", result=1
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01) lookup
(warnbannedrecip) => true, "woodsnscan1.ucar.edu" matches, result="1",
matching_key="/cached/"
[...]
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
string_to_mime_entity
Date: Fri, 5 Oct 2007 09:57:41 -0600 (MDT)
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
string_to_mime_entity
From: "Content-filter at nscan1.ucar.edu"
<virusalertucar.edu>
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
string_to_mime_entity
Subject: BANNED IN MAIL TO YOU (from <greggregandeva.net>)
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
string_to_mime_entity
To: <woodsnscan1.ucar.edu>
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
string_to_mime_entity
Message-ID: <VR12946-01nscan1.ucar.edu>
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01)
one_response_for_all
<virusalertucar.edu>: success, dsn_needed=0, '250
2.5.0 Ok,
id=12946-01, continue delivery'
Oct 5 09:57:42 nscan1 amavis[12946]: (12946-01) DO_VIRUS -
DONE
But, still no notification of the quarantined message is
sent. Is there
any way to actually make this work?
Thanks,
--Greg
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: warnbannedrecip |
 
Belgium |
2007-10-08 01:53:30 |
Greg Woods schreef:
> On Thu, 2007-10-04 at 11:21 -0600, Greg Woods wrote:
>> I don't really want to turn on
>> recipient notifications (which can be done in
amavisd.conf) because the
>> volume of such notices is overwhelming and
everybody either complains
>> about them or ignores them.
>
> We actually decided to try this anyway as a stopgap
measure, but I
> cannot figure out how to make it work. I found a
message in the archives
> dated July 5 2006 from Robert LeBlanc that indicated
that setting
> "warnbannedrecip" to 1 in the amavisd.conf
file would work, but it
> doesn't. My test message with a .exe attachment is
still quarantined,
> but no notification is sent.
...
Works fine for me. I'm running Maia 1.0.1
Regards,
Koenraad Lelong.
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: warnbannedrecip |
United States |
2007-10-08 09:40:01 |
On Mon, 2007-10-08 at 08:53 +0200, Koenraad Lelong wrote:
> Greg Woods schreef:
> I found a message in the archives
> > dated July 5 2006 from Robert LeBlanc that
indicated that setting
> > "warnbannedrecip" to 1 in the
amavisd.conf file would work, but it
> > doesn't.
> Works fine for me. I'm running Maia 1.0.1
We are running 1.0.1 here too. What log entries do you get
from amavisd
when a notification is sent? Maybe it is sending them but
they aren't
being delivered for some reason.
--Greg
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: warnbannedrecip |
Belgium |
2007-10-09 03:11:59 |
Greg Woods schreef:
> On Mon, 2007-10-08 at 08:53 +0200, Koenraad Lelong
wrote:
>> Greg Woods schreef:
>> I found a message in the archives
>>> dated July 5 2006 from Robert LeBlanc that
indicated that setting
>>> "warnbannedrecip" to 1 in the
amavisd.conf file would work, but it
>>> doesn't.
>> Works fine for me. I'm running Maia 1.0.1
>
> We are running 1.0.1 here too. What log entries do you
get from amavisd
> when a notification is sent? Maybe it is sending them
but they aren't
> being delivered for some reason.
>
> --Greg
>
>
Oct 8 08:41:37 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
(30696-07) p003 1 Content-Type: multipart/mixed
Oct 8 08:41:37 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
(30696-07) p001 1/1 Content-Type: text/plain, size: 85 B,
name:
Oct 8 08:41:37 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
(30696-07) p002 1/2 Content-Type: application/octet-stream,
size: 43008
B, name: BOM.exe
Oct 8 08:41:37 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
(30696-07) p.path BANNED:1:
"P=p003,L=1,M=multipart/mixed |
P=p002,L=1/2,M=application/octet-stream,T=exe,N=BOM.exe"
;,
matching_key="(?-xism:^\.(exe|lha|tnef|cab|dll)$)"
;
Oct 8 08:41:44 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
(30696-07) SEND via SMTP: [127.0.0.1]:10025
<virusalertyyyyyy> ->
<xxxxxxxx>
Oct 8 08:41:44 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
(30696-07) Blocked BANNED (BOM.exe), [192.168.0.13]
[192.168.0.13]
<yyyyxxxxx> -> <xxxxxxxxxx>, Message-ID:
<4709D120.80607ace-electronics.be>, Hits: -, 7639 ms
Beware of broken lines. I censored some e-mailaddresses.
HTH
Koenraad Lelong.
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: warnbannedrecip |
United States |
2007-10-09 14:48:10 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Oct 9, 2007, at 3:11 AM, Koenraad Lelong wrote:
> Oct 8 08:41:44 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
> (30696-07) SEND via SMTP: [127.0.0.1]:10025
<virusalertyyyyyy> ->
> <xxxxxxxx>
That should be the notification outbound.
David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFHC9r9Uy30ODPkzl0RAs/mAJ0dcK2/HE8RDOGryrZP94WyyPAu3QCf
Rue9
Mw1+x2xjtXgoAuJGl1U/ans=
=JlCv
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: warnbannedrecip |
United States |
2007-10-10 14:10:01 |
On Tue, 2007-10-09 at 14:48 -0500, David Morton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Oct 9, 2007, at 3:11 AM, Koenraad Lelong wrote:
>
> > Oct 8 08:41:44 box.ace-electronics.be
/usr/sbin/amavisd[30696]:
> > (30696-07) SEND via SMTP: [127.0.0.1]:10025
<virusalertyyyyyy> ->
> > <xxxxxxxx>
>
> That should be the notification outbound.
Then I have no clues at all. I set warnbannedrecip=1
in /etc/amavisd.conf, I restarted amavisd, but I do not see
this line in
my logs. warnbannedrecip simply does not work on my work
system (running
1.0.1) or on my home system (running 1.0.2).
--Greg
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
[1-8]
|
|