Amavis blocking images...

Peter Dal pdal at assetrecoverycorp.com
Wed Sep 21 16:15:27 CEST 2011 

Hi folks,

I have a problem that started last Monday, without me changing 
anything... For some odd reason, amavis started blocking images, but not 
all of them, just a specific one. Here's the situation:

One of my users is using a mailing list, and sends out an email with our 
company logo as header (embeded, not attached). When this message comes 
back (since he's subscribed to this list) the email gets blocked by 
amavis, and I receive the following notification email:

    |No viruses were found.

    Banned name: multipart/mixed |
       image/gif,.image,.gif,part1.03020803.05050501 at mydomain.com
    Content type: Banned
    Internal reference code for the message is 30298-18/Fe80t5ePS7Gx

    First upstream SMTP client IP address: [<source ip>] mail.sourcedomain.com
    According to a 'Received:' trace, the message originated at:
       [<source ip>], localhost.localdomain unknown [127.0.0.1]

    Return-Path:<source at sourcedomain.com>
    From: source at sourcedomain.com
    Sender: source at sourcedomain.com
    Message-ID:<13164658335.581646>
    Subject: ...
    The message has been quarantined as: /var/lib/amavis/virusmails

    The message WAS NOT relayed to:
    <user at mydomian.com>:
        250 2.7.0 Ok, discarded, id=30298-18 - BANNED: multipart/mixed | image/gif,.image,.gif,part1.03020803.05050501 at mydomain.com


    header

    Return-Path:<source at sourcedomain.com>
    X-Original-Helo: 235324.sourcedomain.net
    Received: from 235324.sourcedomain.net (mail.sourcedomain.com [<source ip>])
         by mail.mydomain.com (Postfix) with ESMTP id DB2AA25458D
         for<user at mydomain.com>; Mon, 19 Sep 2011 15:57:13 -0500 (CDT)
    Received: from localhost.localdomain (unknown [127.0.0.1])
         by 235324.sourcedomain.net (Postfix) with ESMTP id 76EEB40CB89D
         for<user at mydomain.com>; Mon, 19 Sep 2011 16:57:13 -0400 (EDT)
    MIME-Version: 1.0
    Content-Transfer-Encoding: binary
    Content-Type: multipart/mixed; boundary="_----------=_13164658337320692"
    X-Mailer: MIME::Lite 3.027 (F2.74; T1.28; A2.04; B3.07; Q3.07)
    Date: Mon, 19 Sep 2011 16:57:13 -0400
    To:<user at mydomain.com>
    From: source at sourcedomain.com
    Subject: ...
    Reply-To:<user at mydomain.com>
    Sender: source at sourcedomain.com
    Comments: Cust: 5 Msg: 581646
    Message-Id: 13164658335.581646
    |

As far as I can tell, it is not supposed to ban ANY images, and in fact 
this has been working without a glitch for years. Now all of a sudden it 
starts banning stuff....

The only related setting I can think of (feel free to ask me to post 
others) is the $banned_filename_re, which looks like this:

    |$banned_filename_re = new_RE(
       # block certain double extensions anywhere in the base name
       qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

       qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict

       qr'^application/x-msdownload$'i,                  # block these MIME types
       qr'^application/x-msdos-program$'i,
       qr'^application/hta$'i,

       qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic (default)
    );
    |

It's not a one time thing either. He sends out over a dozen emails a 
day, and all of them get blocked this way. I'm completely stumped by 
this one. How do I track down what's going on here? Please keep in mind 
I'm kind of a noob when comes to amavis...

Thanks,
Peter


*******************************************************************************
This e-mail message and any files transmitted here with, are intended solely for the use of the individual(s) addressed and may contain confidential, proprietary or privileged information. If you are not the addressee indicated in this message (or responsible for delivery of this message to such person) you may not review, use, disclose or distribute this message or any files transmitted herewith. If you receive this message in error, please contact the sender by reply e-mail and delete this message and all copies of it from your system.
*******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110921/2e6d36f9/attachment.html>

More information about the amavis-users mailing list