Banned files in RAR vs ZIP

Sébastien WENSKE sebastien at wenske.fr
Mon May 6 16:13:51 CEST 2013


Hi list,

I've notice that banned files are well blocked in ZIP files but not in RAR 
files.

I compressed the same exe file twice (ZIP and RAR), it will be blocked as ZIP 
but not as RAR :

May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p002 1/1/2 Content-Type: 
application/octet-stream, size: 72549 B, name: regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) check_for_banned 
(p004,p005,p002) multipart/signed | multipart/mixed | 
application/octet-stream,.rar,regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup 
[check_bann:sebastien at wenske.fr] => undef, 
["multipart/signed","multipart/mixed","application/octet-stream",".rar","regedit.rar"] 
does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_namepath_re] => 
undef, 
"P=p004\tL=1\tM=multipart/signed\nP=p005\tL=1/1\tM=multipart/mixed\nP=p002\tL=1/1/2\tM=application/octet-stream\tT=rar\tN=regedit.rar" 
does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p.path sebastien at wenske.fr: 
"P=p004,L=1,M=multipart/signed | P=p005,L=1/1,M=multipart/mixed | 
P=p002,L=1/1/2,M=application/octet-stream,T=rar,N=regedit.rar"
May  6 15:29:01 smtp01 amavis[1410]: (01410-17) save_info_final 0ikUThnn8qfs, 
orig=Y, chks=VSHB, cont.ty=C, q.type= , q.to=, dsn=N, score=1.274, Message-ID: 
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B12A at HQ0SBS01.airtag.local>, From: 
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject: 
'Envoi d\134342\134200\134231un message\134302\134240: regedit'

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

May  6 15:29:21 smtp01 amavis[1719]: (01719-14) p002 1/1/2 Content-Type: 
application/octet-stream, size: 79750 B, name: regedit.zip
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) check_for_banned 
(p004,p005,p002,p006) multipart/signed | multipart/mixed | 
application/octet-stream,.zip,regedit.zip | .exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) lookup 
[check_bann:sebastien at wenske.fr] => true, 
["multipart/signed","multipart/mixed","application/octet-stream",".zip","regedit.zip",".exe",".exe-ms","regedit.exe"] 
matches, result="1", matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) p.path BANNED:1 
sebastien at wenske.fr: "P=p004,L=1,M=multipart/signed | 
P=p005,L=1/1,M=multipart/mixed | 
P=p002,L=1/1/2,M=application/octet-stream,T=zip,N=regedit.zip | 
P=p006,L=1/1/2/1,T=exe,T=exe-ms,N=regedit.exe", 
matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) blocking ccat=8, SMTP 
response: 250 2.7.0 Ok, discarded, id=01719-14 - BANNED: 
.exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) notif=N, suppressed=0, 
ndn_needed=, exit=99, 250 2.7.0 Ok, discarded, id=01719-14 - BANNED: 
.exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) Blocked BANNED 
(.exe,.exe-ms,regedit.exe) {DiscardedOutbound,Quarantined}, MYNETS LOCAL 
[10.4.0.10]:58026 [10.4.0.10] <sebastien.wenske at fr.airtag.com> -> 
<sebastien at wenske.fr>, quarantine: banned-ut82zwN_K7V8, Message-ID: 
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, mail_id: 
ut82zwN_K7V8, Hits: -, size: 119672, 188 ms
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) save_info_final ut82zwN_K7V8, 
orig=Y, chks=VHB, cont.ty=B, q.type=F, q.to=banned-ut82zwN_K7V8, dsn=N, 
score=0, Message-ID: 
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, From: 
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject: 
'Envoi d\134342\134200\134231un message\134302\134240: regedit'
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) sending SMTP response: "250 
2.7.0 Ok, discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) ESMTP> 250 2.7.0 Ok, 
discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 postfix/smtp[2268]: 4FEF02040E: 
to=<sebastien at wenske.fr>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, 
delays=0.02/0/0/0.19, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, 
id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe)

Any advice?
Regards,
S. WENSKE

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6075 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130506/c38c10f2/attachment.bin>


More information about the amavis-users mailing list