<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-NZ link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I want to do something that in itself seems easy but is proving difficult.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What I’d like is to block ANY attachment other than a whitelist eg<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>DOCX / XLSX / DOC / XLS / JPG / JPEG / PNG / GIF / PDF<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m using the following in my config:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:9.0pt'>$banned_filename_re = new_RE(<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> qr'^application/x-msdownload$'i, # block these MIME types<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> qr'^application/x-msdos-program$'i,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> qr'^application/hta$'i,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> qr'^\.(exe-ms)$', # banned file(1) types<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> [qr'^\.(jpeg|jpg|png|gif|bmp|tnef|doc|\.docx|xls|xlsx|ppt|pptx|pdf)$' => 0],<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> qr'.\.[a-zA-Z0-9]*$' => 1,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'>);<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Whats happening is PDF’s are coming through like a dream but DOCX, DOC, XLS, XLSX are all getting blocked with the following<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:9.0pt'>X-Amavis-Alert: BANNED, message contains application/msword,.dat,testdoc.doc<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'>X-Amavis-Alert: BANNED, message contains<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt'> application/vnd.openxmlformats-officedocument.wordprocessingml.document,.dat,matttest.docx<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So it appears something about the Mime type is overriding my allowing of the extension???<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If I take jpg out of the allowed extension list it blocks it – Put it back and it gets through – Why do DOC and DOCX not behave the same?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Its getting too hard to block attachment types – I thought I’d been pretty thorough in the past until the latest cryptowall coming through as .JS files which then download the actual virus and execute it. I figure to block EVERY file extension that coule potentially be exploited is just too dangerous and instead we should work it backward and actually allow types that you are happy with.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any help on this would be greatly appreciated – I’ve had 4 customers with cryptowall lately – Luckily none of them were people using my Spam gateways running Amavis and Spamassasin but I want to keep it that way. Amazingly these cryptowall emails with a zipped .JS are sailing right through Microsoft Office 365 which is a little scary – Their spam rules didn’t get it and obviously they don’t block any attachments at all appart from the ones Outlook will make difficult (.EXE .SCR etc)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Matt Beechey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>