Amavis blocking images...

Peter Dal pdal at assetrecoverycorp.com
Wed Sep 28 16:30:47 CEST 2011 

Anyone have any idea where I can start looking? I've set amavis to pass 
banned files for now, but I keep getting these messages...

Thanks,
Peter

On 9/21/2011 9:15 AM, Peter Dal wrote:
> Hi folks,
>
> I have a problem that started last Monday, without me changing 
> anything... For some odd reason, amavis started blocking images, but 
> not all of them, just a specific one. Here's the situation:
>
> One of my users is using a mailing list, and sends out an email with 
> our company logo as header (embeded, not attached). When this message 
> comes back (since he's subscribed to this list) the email gets blocked 
> by amavis, and I receive the following notification email:
>
>     |No viruses were found.
>
>     Banned name: multipart/mixed |
>        image/gif,.image,.gif,part1.03020803.05050501 at mydomain.com
>     Content type: Banned
>     Internal reference code for the message is 30298-18/Fe80t5ePS7Gx
>
>     First upstream SMTP client IP address: [<source ip>] mail.sourcedomain.com
>     According to a 'Received:' trace, the message originated at:
>        [<source ip>], localhost.localdomain unknown [127.0.0.1]
>
>     Return-Path:<source at sourcedomain.com>
>     From:source at sourcedomain.com
>     Sender:source at sourcedomain.com
>     Message-ID:<13164658335.581646>
>     Subject: ...
>     The message has been quarantined as: /var/lib/amavis/virusmails
>
>     The message WAS NOT relayed to:
>     <user at mydomian.com>:
>         250 2.7.0 Ok, discarded, id=30298-18 - BANNED: multipart/mixed | image/gif,.image,.gif,part1.03020803.05050501 at mydomain.com
>
>
>     header
>
>     Return-Path:<source at sourcedomain.com>
>     X-Original-Helo: 235324.sourcedomain.net
>     Received: from 235324.sourcedomain.net (mail.sourcedomain.com [<source ip>])
>          by mail.mydomain.com (Postfix) with ESMTP id DB2AA25458D
>          for<user at mydomain.com>; Mon, 19 Sep 2011 15:57:13 -0500 (CDT)
>     Received: from localhost.localdomain (unknown [127.0.0.1])
>          by 235324.sourcedomain.net (Postfix) with ESMTP id 76EEB40CB89D
>          for<user at mydomain.com>; Mon, 19 Sep 2011 16:57:13 -0400 (EDT)
>     MIME-Version: 1.0
>     Content-Transfer-Encoding: binary
>     Content-Type: multipart/mixed; boundary="_----------=_13164658337320692"
>     X-Mailer: MIME::Lite 3.027 (F2.74; T1.28; A2.04; B3.07; Q3.07)
>     Date: Mon, 19 Sep 2011 16:57:13 -0400
>     To:<user at mydomain.com>
>     From:source at sourcedomain.com
>     Subject: ...
>     Reply-To:<user at mydomain.com>
>     Sender:source at sourcedomain.com
>     Comments: Cust: 5 Msg: 581646
>     Message-Id: 13164658335.581646
>     |
>
> As far as I can tell, it is not supposed to ban ANY images, and in 
> fact this has been working without a glitch for years. Now all of a 
> sudden it starts banning stuff....
>
> The only related setting I can think of (feel free to ask me to post 
> others) is the $banned_filename_re, which looks like this:
>
>     |$banned_filename_re = new_RE(
>        # block certain double extensions anywhere in the base name
>        qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
>
>        qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict
>
>        qr'^application/x-msdownload$'i,                  # block these MIME types
>        qr'^application/x-msdos-program$'i,
>        qr'^application/hta$'i,
>
>        qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic (default)
>     );
>     |
>
> It's not a one time thing either. He sends out over a dozen emails a 
> day, and all of them get blocked this way. I'm completely stumped by 
> this one. How do I track down what's going on here? Please keep in 
> mind I'm kind of a noob when comes to amavis...
>
> Thanks,
> Peter
>


*******************************************************************************
This e-mail message and any files transmitted here with, are intended solely for the use of the individual(s) addressed and may contain confidential, proprietary or privileged information. If you are not the addressee indicated in this message (or responsible for delivery of this message to such person) you may not review, use, disclose or distribute this message or any files transmitted herewith. If you receive this message in error, please contact the sender by reply e-mail and delete this message and all copies of it from your system.
*******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20110928/6a416d9a/attachment.html>

More information about the amavis-users mailing list