Problem with ms-exe banned files

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri May 20 20:35:29 CEST 2011


Richard,

> We keep getting problems with the ms-exe detection scheme in amavis for 
> banned files. I was wondering :
> 
> Does Amavis only look at the extension of the file ? In this case a 
> ".dat" file, or does it really test the file ?
> 
> For example in linux : file file.dat
> file.dat: DOS executable (device driver)
> X-Amavis-Alert: BANNED, message contains .exe,.exe-ms,file.dat

Amavisd banning rules can test for either:
- a name of a mail component;
- a result from the file(1) utility, mapped into a shorthand notation
  through $map_full_type_to_short_type_re;
- a MIME type

> I know that this isn't a device driver, but a part from a electronical 
> software scheme.

You guessed correctly, in your case it is a wrong detection
coming from a file(1) utility.

> How can we avoid this ? Or manipulate the ms-exe detection ?

No ideal solution. Some choices:

- see if a newer version of a file(1) utility has this misdetection fixed,
  if not file a bug report to its maintainer (who is quite cooperative);

- remove a test for .exe-ms from your banning rules, or preceed it
  with some countermeasure exception rule;

- if such mail is only coming from some sources or addressed to
  only few recipients, consider @banned_files_lovers_maps


Mark


More information about the amavis-users mailing list