<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.Vaintekstin, li.Vaintekstin, div.Vaintekstin
{mso-style-name:"Vain tekstinä";
mso-style-link:"Vain tekstinä Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.VaintekstinChar
{mso-style-name:"Vain tekstinä Char";
mso-style-priority:99;
mso-style-link:"Vain tekstinä";
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">If you are trying to block office documents that will infect your PC with ransomware your approach will not work. The ransomware has been coming through with the old office document extensions. For example, the
locky ransomware comes in with a .doc attachment. A more effective approach would be to block all old office extensions i.e. .xls, .doc etc.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.org]
<b>On Behalf Of </b>Kai Risku<br>
<b>Sent:</b> Tuesday, April 5, 2016 2:54 AM<br>
<b>To:</b> amavis-users@amavis.org<br>
<b>Subject:</b> Banning .docm gives misleading error message<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In order to guard against malicious macros, we have banned all macro-enabled Office document formats, i.e. added the following to $banned_filename_re:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-indent:65.2pt"># block macro-enabled office files<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:65.2pt">qr'.\.(xlsm|xltm|xlam|docm|dotm|pptm|potm|ppam|ppsm|sldm)$'i,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since modern Office documents are technically zip-files, amavisd-new opens and processes the zip archive. For originating (outgoing) messages we bounce the banned emails so the poor sender can understand why his emails are not delivered,
but in this case amavisd-new does not report the actual office document being banned but instead blames the first file inside the zip-archive. This results in very cryptic error messages, like:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Subject: BANNED contents from you (.txt,[Content_Types].xml)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:65.2pt">Our content checker found<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:65.2pt"> banned name: .txt,[Content_Types].xml<o:p></o:p></p>
<p class="MsoNormal"> in email presumable from you<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It seems amavisd has a small “optimization” that skips banned checks for non-leaf nodes. I propose removing that so the actual office documents can be directly banned and correctly reported:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">--- amavisd 5 Apr 2016 06:30:18 -0000 1.24<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">+++ amavisd 5 Apr 2016 06:30:29 -0000<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">@@ -9912,7 +9912,9 @@<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""> my(@path) = @{$part->path};<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""> next if @path <= 1;<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""> shift(@path); # ignore place-holder root node<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">- next if @{$part->children}; # ignore non-leaf nodes<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">+ # also process non-leaf nodes or we cannot block office documents<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">+ # without alert about wrong parts (blames the innocent zip member)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New"">+ # next if @{$part->children}; # ignore non-leaf nodes<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""> my(@descr_trad); # a part path: list of predecessors of a message part<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""> my(@descr); # same, but in form suitable for check on banned_namepath_re<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""> for my $p (@path) {<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:65.2pt"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="FI" style="color:#595959;mso-fareast-language:FI">--<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FI" style="color:#595959;mso-fareast-language:FI"><a href="mailto:Kai.Risku@arrak.fi">Kai.Risku@arrak.fi</a> GSM +358-40-7678282<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#595959;mso-fareast-language:FI">Oy Arrak Software Ab
<a href="http://www.arrak.fi">http://www.arrak.fi</a><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>