<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Anyone have any idea where I can start looking? I've set amavis to
pass banned files for now, but I keep getting these messages...<br>
<div class="moz-signature">
<div style="font-family:Arial; color:black;">
<br>
Thanks,<br>
Peter<br>
</div>
</div>
<br>
On 9/21/2011 9:15 AM, Peter Dal wrote:
<blockquote cite="mid:4E79F17F.5010304@assetrecoverycorp.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hi folks,<br>
<br>
I have a problem that started last Monday, without me changing
anything... For some odd reason, amavis started blocking images,
but not all of them, just a specific one. Here's the situation:<br>
<br>
One of my users is using a mailing list, and sends out an email
with our company logo as header (embeded, not attached). When this
message comes back (since he's subscribed to this list) the email
gets blocked by amavis, and I receive the following notification
email:<br>
<blockquote>
<pre><code>No viruses were found.
Banned name: multipart/mixed |
image/gif,.image,.gif,<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:part1.03020803.05050501@mydomain.com">part1.03020803.05050501@mydomain.com</a>
Content type: Banned
Internal reference code for the message is 30298-18/Fe80t5ePS7Gx
First upstream SMTP client IP address: [<source ip>] mail.sourcedomain.com
According to a 'Received:' trace, the message originated at:
[<source ip>], localhost.localdomain unknown [127.0.0.1]
Return-Path: <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:source@sourcedomain.com"><source@sourcedomain.com></a>
From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:source@sourcedomain.com">source@sourcedomain.com</a>
Sender: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:source@sourcedomain.com">source@sourcedomain.com</a>
Message-ID: <13164658335.581646>
Subject: ...
The message has been quarantined as: /var/lib/amavis/virusmails
The message WAS NOT relayed to:
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:user@mydomian.com"><user@mydomian.com></a>:
250 2.7.0 Ok, discarded, id=30298-18 - BANNED: multipart/mixed | image/gif,.image,.gif,<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:part1.03020803.05050501@mydomain.com">part1.03020803.05050501@mydomain.com</a>
header
Return-Path: <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:source@sourcedomain.com"><source@sourcedomain.com></a>
X-Original-Helo: 235324.sourcedomain.net
Received: from 235324.sourcedomain.net (mail.sourcedomain.com [<source ip>])
by mail.mydomain.com (Postfix) with ESMTP id DB2AA25458D
for <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:user@mydomain.com"><user@mydomain.com></a>; Mon, 19 Sep 2011 15:57:13 -0500 (CDT)
Received: from localhost.localdomain (unknown [127.0.0.1])
by 235324.sourcedomain.net (Postfix) with ESMTP id 76EEB40CB89D
for <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:user@mydomain.com"><user@mydomain.com></a>; Mon, 19 Sep 2011 16:57:13 -0400 (EDT)
MIME-Version: 1.0
Content-Transfer-Encoding: binary
Content-Type: multipart/mixed; boundary="_----------=_13164658337320692"
X-Mailer: MIME::Lite 3.027 (F2.74; T1.28; A2.04; B3.07; Q3.07)
Date: Mon, 19 Sep 2011 16:57:13 -0400
To: <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:user@mydomain.com"><user@mydomain.com></a>
From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:source@sourcedomain.com">source@sourcedomain.com</a>
Subject: ...
Reply-To: <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:user@mydomain.com"><user@mydomain.com></a>
Sender: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:source@sourcedomain.com">source@sourcedomain.com</a>
Comments: Cust: 5 Msg: 581646
Message-Id: 13164658335.581646
</code></pre>
</blockquote>
As far as I can tell, it is not supposed to ban ANY images, and in
fact this has been working without a glitch for years. Now all of
a sudden it starts banning stuff....<br>
<br>
The only related setting I can think of (feel free to ask me to
post others) is the $banned_filename_re, which looks like this:<br>
<blockquote>
<pre><code>$banned_filename_re = new_RE(
# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic (default)
);
</code></pre>
</blockquote>
It's not a one time thing either. He sends out over a dozen emails
a day, and all of them get blocked this way. I'm completely
stumped by this one. How do I track down what's going on here?
Please keep in mind I'm kind of a noob when comes to amavis...<br>
<br>
Thanks,<br>
<div class="moz-signature">
<div style="font-family:Arial; color:black;"> Peter<br>
</div>
</div>
<br>
</blockquote>
<br>
<div style="font-family:Arial; font-size:10px; color:#999; border-top:1px solid #666; border-bottom:1px solid #666; margin-top:20px; padding:2px 5px;">This e-mail message and any files transmitted here with, are intended solely for the use of the individual(s) addressed and may contain confidential, proprietary or privileged information. If you are not the addressee indicated in this message (or responsible for delivery of this message to such person) you may not review, use, disclose or distribute this message or any files transmitted herewith. If you receive this message in error, please contact the sender by reply e-mail and delete this message and all copies of it from your system.</div>
<br>
</body>
</html>