Problem with @banned_files_lovers_maps...

Klaus Tachtler klaus at tachtler.net
Wed Mar 21 09:02:22 CET 2012 

Hallo Mark,

thank you for your information, but we do not use alterMIME or any  
similar programm to change something. From our yesterdays Test, this  
is the message source of the e-Mail, please can you see something,  
where the problem can occur?

---- message source start ----

Return-Path: <michael at nausch.org>
X-Original-To: specialuser at ourdomain.tld
Delivered-To: specialuser at ourdomain.tld
Received: from mx11.ourdomain.tld (mx11.ourdomain.tld [172.25.10.169]) by
         relay.ourdomain.tld (Postfix) with ESMTP id DF5A01F708D for
         <specialuser at ourdomain.tld>; Tue, 20 Mar 2012 14:55:52 +0100 (CET)
Received: from viruswallvz.ourdomain.tld (amavisvz.ourdomain.tld
         [172.25.10.167]) by mx11.ourdomain.tld (Postfix) with ESMTP  
id CC4B83FC87 for
         <specialuser at ourdomain.tld>; Tue, 20 Mar 2012 14:55:52 +0100 (CET)
X-Amavis-Modified: Mail body modified (defanged) - viruswallvz.ourdomain.tld
X-Virus-Scanned: amavisd-new at ourdomain.tld
X-Amavis-Alert: BANNED, message contains audio/mpeg,.dat,01 Test.mp3
Received: from mx11.ourdomain.tld ([172.25.10.169]) by  
viruswallvz.ourdomain.tld
         (viruswallvz.ourdomain.tld [172.25.10.167]) (amavisd-new,  
port 10024) with
         ESMTP id 3GTahVLQfNnf for <specialuser at ourdomain.tld>; Tue,  
20 Mar 2012 14:51:03 +0100
         (CET)
X-policyd-weight:  NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
         NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1; rate: -7.6
Received: from mx1.nausch.org (mx1.nausch.org [88.217.187.21]) (using TLSv1
         with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
         requested) by mx11.ourdomain.tld (Postfix) with ESMTPS for  
<sspecialuser at ourdomain.tld>; Tue,
         20 Mar 2012 14:51:01 +0100 (CET)
Received: from viruswall.dmz.nausch.org (localhost.localdomain [127.0.0.1])
         by mx1.nausch.org (Postfix) with ESMTP id 66F0811587D0 for  
<specialuser at ourdomain.tld>;
         Tue, 20 Mar 2012 14:50:58 +0100 (CET)
X-Virus-Scanned: amavisd-new at nausch.org
Received: from mx1.nausch.org ([127.0.0.1]) by viruswall.dmz.nausch.org
         (amavis.nausch.org [127.0.0.1]) (amavisd-new, port 10024)  
with ESMTP id
         M4assf7QFjqb for <specialuser at ourdomain.tld>; Tue, 20 Mar  
2012 14:48:03 +0100 (CET)
Received: from [192.168.2.186] (ppp-93-104-67-124.dynamic.mnet-online.de
         [93.104.67.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
         bits)) (No client certificate requested) by mx1.nausch.org  
(Postfix) with
         ESMTP for <specialuser at ourdomain.tld>; Tue, 20 Mar 2012  
14:48:03 +0100 (CET)
Message-ID: <4F688A91.9050607 at nausch.org>
Date: Tue, 20 Mar 2012 14:48:01 +0100
From: Michael Nausch <michael at nausch.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216
         Thunderbird/10.0.2
MIME-Version: 1.0
To: specialuser at ourdomain.tld
Subject: test
Content-Type: multipart/mixed; boundary="------------010607060102020703080209"
X-Evolution-Source: imap://specialuser%40ourdomain.tld@ourdomain.tld/

This is a multi-part message in MIME format.
--------------010607060102020703080209
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

test


--------------010607060102020703080209


--------------010607060102020703080209--

---- message source end   ----

Thank you, for your help!

> Klaus,
>
>> so, we wonder a little bit, because when we set
>>
>>        $bypass_decode_parts = 1;
>>
>> the we can GET the e-mail WITH attachment. If we doesn't set
>> $bypass_decode_parts, the we GET the e-mail WITHOUT the attachment.
>>
>> The $bypass_decode_parts = 1; in conjunction with set
>>        @banned_files_lovers_maps = (
>>              { 'specialuser at ourdomain.tld' => 1,
>>        } );
>>
>> We tried this e few minutes ago, and we only have postfix in
>> conjunction with amavis (controlling spamassassin and clamav),
>> and the mp3 (for example) we send, had no virus inside...
>
> This is most unusual. As Mihael said, amavisd does not
> modify mail body. The only exception to that is if you have
> defanging enabled. In this case amavisd can call external
> programs like altermime or Anomy::Sanitizer or use a very
> simple built-in sanitizer. The altermime or Anomy::Sanitizer
> are capable of stripping attachments, but the built-in
> sanitizer cannot, it can only wrap the original mail body in an
> extra level of MIME structure (pushes it to an attachment).
>
> If you do not have defanging through altermime or Anomy::Sanitizer
> enabled, then I don't see how you could get the results you see.
> Perhaps some further mail processing at delivery time or in a MUA
> is used. Or maybe the attachent is still there but perhaps a MIME
> structure got botched somehow. Checking the log at level 5 may
> provide some answers.
>
>   Mark
>


Klaus.


--

------------------------------------------------
e-Mail  : klaus at tachtler.net
Homepage: http://www.tachtler.net
DokuWiki: http://www.dokuwiki.tachtler.net
------------------------------------------------

More information about the amavis-users mailing list