Banned files in RAR vs ZIP

Sébastien WENSKE sebastien at wenske.fr
Mon May 6 17:13:38 CEST 2013 

Hello Linus,

Yes I have RAR en/decoder installed:

May  6 16:02:09 smtp01 amavis[3065]: Found decoder for    .rar  at
/usr/bin/unrar
May  6 16:02:09 smtp01 amavis[3065]: Found decoder for    .rar  at
/usr/bin/7z (backup, not used)


More logs about RAR decode: (p002)

May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p002 1/1/2 Content-Type:
application/octet-stream, size: 72549 B, name: regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) Charging 6101 bytes to
remaining quota 54834337 (out of 54907000, (0%)) - by mime_decode
[...]
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) decode_parts: level=1,
#parts=5 : p001, p002, p003, p004, p005
[...]
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[map_full_type_to_short_type] => true,  "RAR archive data, v1d, os: Win32"
matches, result="rar", matching_key="(?i-xsm:^RAR archive\134b)"
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) File-type of p002: RAR
archive data, v1d, os: Win32; (rar)
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[map_full_type_to_short_type] => true,  "data" matches, result="dat",
matching_key="(?-xism:^data\134z)"
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) File-type of p003: data;
(dat)
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) decompose_part: p001 -
atomic
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) Expanding RAR archive p002
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) Charging 427008 bytes to
remaining quota 54828236 (out of 54907000, (1%)) - by do_unrar-pre
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) flatten_and_tidy_dir:
processing directory
"/var/amavis/tmp/amavis-20130506T130648-01410-7TLy4blY/parts/rar"
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) Charging 0 bytes to
remaining quota 54828236 (out of 54907000, (0%)) - by do_unrar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[keep_decoded_original] => undef, "RAR archive data, v1d, os: Win32" does
not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) decompose_part: p002 -
archive, unpacked
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) decompose_part: p003 -
atomic
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[bypass_header_checks] => undef, "sebastien at wenske.fr" does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[bypass_header_checks] => undef, "sebastien at wenske.fr" does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) Checking for banned types
and filenames
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_filename], 1
matches for "sebastien at wenske.fr", results: "(constant:DEFAULT)"=>"DEFAULT"
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) collect banned table[0]:
sebastien at wenske.fr, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3491dd0)
[...]
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) check_for_banned
(p004,p005,p002) multipart/signed | multipart/mixed |
application/octet-stream,.rar,regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[check_bann:sebastien at wenske.fr] => undef,
["multipart/signed","multipart/mixed","application/octet-stream",".rar","reg
edit.rar"] does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_namepath_re]
=> undef,
"P=p004\tL=1\tM=multipart/signed\nP=p005\tL=1/1\tM=multipart/mixed\nP=p002\t
L=1/1/2\tM=application/octet-stream\tT=rar\tN=regedit.rar" does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p.path sebastien at wenske.fr:
"P=p004,L=1,M=multipart/signed | P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=rar,N=regedit.rar"

Cheers,
S. WENSKE


-----Message d'origine-----
De : amavis-users
[mailto:amavis-users-bounces+sebastien=wenske.fr at amavis.org] De la part de
Linus Haake
Envoyé : lundi 6 mai 2013 16:25
À : amavis-users at amavis.org
Objet : AW: Banned files in RAR vs ZIP


Did you have some encoder installed for RAR?

whilst restarting amavisd, you should see something like this in the log:

May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .F    at
/usr/bin/unfreeze
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .Z    at
/usr/bin/uncompress
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .gz   at
/usr/bin/gzip -d
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .bz2  at
/usr/bin/bzip2 -d
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .xz   at
/usr/bin/xzdec
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .lzma at
/usr/bin/lzmadec
May  6 16:24:09 mail2 amavis[32340]: No ext program for   .lrz, tried: lrzip
-q -k -d -o -, lrzcat -q -k
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .lzo  at
/usr/bin/lzop -d
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .rpm  at
/usr/bin/rpm2cpio
May  6 16:24:09 mail2 amavis[32340]: No ext program for   .cpio, tried: pax
May  6 16:24:09 mail2 amavis[32340]: No ext program for   .tar, tried: pax
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .deb  at
/usr/bin/ar
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .rar  at
/usr/bin/unrar
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .arj  at
/usr/bin/arj
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .arc  at
/usr/bin/nomarch
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .zoo  at
/usr/bin/zoo
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .doc  at
/usr/bin/ripole
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .cab  at
/usr/bin/cabextract
May  6 16:24:09 mail2 amavis[32340]: Internal decoder for .tnef
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .zip  at
/usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .kmz  at
/usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .7z   at
/usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .tar  at
/usr/bin/7za
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .jar  at
/usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .cpio at
/usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .swf  at
/usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .lha  at
/usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .iso  at
/usr/bin/7z
May  6 16:24:09 mail2 amavis[32340]: Found decoder for    .exe  at
/usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
May  6 16:24:09 mail2 amavis[32340]: No decoder for       .lrz

Cheers

________________________________________
Von: amavis-users [amavis-users-bounces+linus=haake-it.net at amavis.org]"
im Auftrag von "Sébastien WENSKE [sebastien at wenske.fr]
Gesendet: Montag, 6. Mai 2013 16:13
An: amavis-users at amavis.org
Betreff: Banned files in RAR vs ZIP

Hi list,

I've notice that banned files are well blocked in ZIP files but not in RAR
files.

I compressed the same exe file twice (ZIP and RAR), it will be blocked as
ZIP but not as RAR :

May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p002 1/1/2 Content-Type:
application/octet-stream, size: 72549 B, name: regedit.rar May  6 15:28:56
smtp01 amavis[1410]: (01410-17) check_for_banned
(p004,p005,p002) multipart/signed | multipart/mixed |
application/octet-stream,.rar,regedit.rar
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[check_bann:sebastien at wenske.fr] => undef,
["multipart/signed","multipart/mixed","application/octet-stream",".rar","reg
edit.rar"]
does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_namepath_re]
=> undef,
"P=p004\tL=1\tM=multipart/signed\nP=p005\tL=1/1\tM=multipart/mixed\nP=p002\t
L=1/1/2\tM=application/octet-stream\tT=rar\tN=regedit.rar"
does not match
May  6 15:28:56 smtp01 amavis[1410]: (01410-17) p.path sebastien at wenske.fr:
"P=p004,L=1,M=multipart/signed | P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=rar,N=regedit.rar"
May  6 15:29:01 smtp01 amavis[1410]: (01410-17) save_info_final
0ikUThnn8qfs, orig=Y, chks=VSHB, cont.ty=C, q.type= , q.to=, dsn=N,
score=1.274, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B12A at HQ0SBS01.airtag.local>, From:
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject:
'Envoi d\134342\134200\134231un message\134302\134240: regedit'

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
---------

May  6 15:29:21 smtp01 amavis[1719]: (01719-14) p002 1/1/2 Content-Type:
application/octet-stream, size: 79750 B, name: regedit.zip May  6 15:29:21
smtp01 amavis[1719]: (01719-14) check_for_banned
(p004,p005,p002,p006) multipart/signed | multipart/mixed |
application/octet-stream,.zip,regedit.zip | .exe,.exe-ms,regedit.exe May  6
15:29:21 smtp01 amavis[1719]: (01719-14) lookup
[check_bann:sebastien at wenske.fr] => true,
["multipart/signed","multipart/mixed","application/octet-stream",".zip","reg
edit.zip",".exe",".exe-ms","regedit.exe"]
matches, result="1", matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) p.path BANNED:1
sebastien at wenske.fr: "P=p004,L=1,M=multipart/signed |
P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=zip,N=regedit.zip |
P=p006,L=1/1/2/1,T=exe,T=exe-ms,N=regedit.exe",
matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) blocking ccat=8, SMTP
response: 250 2.7.0 Ok, discarded, id=01719-14 - BANNED:
.exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) notif=N, suppressed=0,
ndn_needed=, exit=99, 250 2.7.0 Ok, discarded, id=01719-14 - BANNED:
.exe,.exe-ms,regedit.exe
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) Blocked BANNED
(.exe,.exe-ms,regedit.exe) {DiscardedOutbound,Quarantined}, MYNETS LOCAL
[10.4.0.10]:58026 [10.4.0.10] <sebastien.wenske at fr.airtag.com> ->
<sebastien at wenske.fr>, quarantine: banned-ut82zwN_K7V8, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, mail_id:
ut82zwN_K7V8, Hits: -, size: 119672, 188 ms May  6 15:29:21 smtp01
amavis[1719]: (01719-14) save_info_final ut82zwN_K7V8, orig=Y, chks=VHB,
cont.ty=B, q.type=F, q.to=banned-ut82zwN_K7V8, dsn=N, score=0, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, From:
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject:
'Envoi d\134342\134200\134231un message\134302\134240: regedit'
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) sending SMTP response: "250
2.7.0 Ok, discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe"
May  6 15:29:21 smtp01 amavis[1719]: (01719-14) ESMTP> 250 2.7.0 Ok,
discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe May  6 15:29:21
smtp01 postfix/smtp[2268]: 4FEF02040E:
to=<sebastien at wenske.fr>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21,
delays=0.02/0/0/0.19, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe)

Any advice?
Regards,
S. WENSKE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6075 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130506/031bf90d/attachment.bin>

More information about the amavis-users mailing list