AW: Banned files in RAR vs ZIP

Linus Haake linus at haake-it.net
Mon May 6 16:25:18 CEST 2013 

Did you have some encoder installed for RAR?

whilst restarting amavisd, you should see something like this in the log:

May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .F    at /usr/bin/unfreeze
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .Z    at /usr/bin/uncompress
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .gz   at /usr/bin/gzip -d
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .xz   at /usr/bin/xzdec
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .lzma at /usr/bin/lzmadec
May  6 16:24:09 mail2 amavis[32340]: No ext program for   .lrz, tried: lrzip -q -k -d -o -, lrzcat -q -k
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .lzo  at /usr/bin/lzop -d
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
May  6 16:24:09 mail2 amavis[32340]: No ext program for   .cpio, tried: pax
May  6 16:24:09 mail2 amavis[32340]: No ext program for   .tar, tried: pax
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .deb  at /usr/bin/ar
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .rar  at /usr/bin/unrar
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .arj  at /usr/bin/arj
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .arc  at /usr/bin/nomarch
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .zoo  at /usr/bin/zoo
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .doc  at /usr/bin/ripole
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .cab  at /usr/bin/cabextract
May  6 16:24:09 mail2 amavis[32340]: Internal decoder for .tnef
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .zip  at /usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .kmz  at /usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .7z   at /usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .tar  at /usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .jar  at /usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .cpio at /usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .swf  at /usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .lha  at /usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .iso  at /usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .exe  at /usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
May  6 16:24:09 mail2 amavis[32340]: No decoder for       .lrz

Cheers

________________________________________
Von: amavis-users [amavis-users-bounces+linus=haake-it.net at amavis.org]" im Auftrag von "Sébastien WENSKE [sebastien at wenske.fr]
Gesendet: Montag, 6. Mai 2013 16:13
An: amavis-users at amavis.org
Betreff: Banned files in RAR vs ZIP

Hi list,

I've notice that banned files are well blocked in ZIP files but not in RAR
files.

I compressed the same exe file twice (ZIP and RAR), it will be blocked as ZIP
but not as RAR :

May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p002 1/1/2 Content-Type:
application/octet-stream, size: 72549 B, name: regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) check_for_banned
(p004,p005,p002) multipart/signed | multipart/mixed |
application/octet-stream,.rar,regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[check_bann:sebastien at wenske.fr] => undef,
["multipart/signed","multipart/mixed","application/octet-stream",".rar","regedit.rar"]
does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_namepath_re] =>
undef,
"P=p004\tL=1\tM=multipart/signed\nP=p005\tL=1/1\tM=multipart/mixed\nP=p002\tL=1/1/2\tM=application/octet-stream\tT=rar\tN=regedit.rar"
does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p.path sebastien at wenske.fr:
"P=p004,L=1,M=multipart/signed | P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=rar,N=regedit.rar"
May  6 15:29:01 smtp01 amavis[1410]: (01410-17) save_info_final 0ikUThnn8qfs,
orig=Y, chks=VSHB, cont.ty=C, q.type= , q.to=, dsn=N, score=1.274, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B12A at HQ0SBS01.airtag.local>, From:
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject:
'Envoi d\134342\134200\134231un message\134302\134240: regedit'

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

May  6 15:29:21 smtp01 amavis[1719]: (01719-14) p002 1/1/2 Content-Type:
application/octet-stream, size: 79750 B, name: regedit.zip
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) check_for_banned
(p004,p005,p002,p006) multipart/signed | multipart/mixed |
application/octet-stream,.zip,regedit.zip | .exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) lookup
[check_bann:sebastien at wenske.fr] => true,
["multipart/signed","multipart/mixed","application/octet-stream",".zip","regedit.zip",".exe",".exe-ms","regedit.exe"]
matches, result="1", matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) p.path BANNED:1
sebastien at wenske.fr: "P=p004,L=1,M=multipart/signed |
P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=zip,N=regedit.zip |
P=p006,L=1/1/2/1,T=exe,T=exe-ms,N=regedit.exe",
matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) blocking ccat=8, SMTP
response: 250 2.7.0 Ok, discarded, id=01719-14 - BANNED:
.exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) notif=N, suppressed=0,
ndn_needed=, exit=99, 250 2.7.0 Ok, discarded, id=01719-14 - BANNED:
.exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) Blocked BANNED
(.exe,.exe-ms,regedit.exe) {DiscardedOutbound,Quarantined}, MYNETS LOCAL
[10.4.0.10]:58026 [10.4.0.10] <sebastien.wenske at fr.airtag.com> ->
<sebastien at wenske.fr>, quarantine: banned-ut82zwN_K7V8, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, mail_id:
ut82zwN_K7V8, Hits: -, size: 119672, 188 ms
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) save_info_final ut82zwN_K7V8,
orig=Y, chks=VHB, cont.ty=B, q.type=F, q.to=banned-ut82zwN_K7V8, dsn=N,
score=0, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, From:
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject:
'Envoi d\134342\134200\134231un message\134302\134240: regedit'
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) sending SMTP response: "250
2.7.0 Ok, discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) ESMTP> 250 2.7.0 Ok,
discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 postfix/smtp[2268]: 4FEF02040E:
to=<sebastien at wenske.fr>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21,
delays=0.02/0/0/0.19, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe)

Any advice?
Regards,
S. WENSKE

More information about the amavis-users mailing list