AW: Banned files in RAR vs ZIP
Linus Haake
linus at haake-it.net
Mon May 6 17:25:24 CEST 2013
Did you check how banned files are being handled within archives?
For example here..:
$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARHIVES:
# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
# qr'^\.zip$', # block zip type
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
________________________________________
Von: Sébastien WENSKE [sebastien at wenske.fr]
Gesendet: Montag, 6. Mai 2013 17:13
An: Linus Haake; amavis-users at amavis.org
Betreff: RE: Banned files in RAR vs ZIP
Hello Linus,
Yes I have RAR en/decoder installed:
May 6 16:02:09 smtp01 amavis[3065]: Found decoder for .rar at
/usr/bin/unrar
May 6 16:02:09 smtp01 amavis[3065]: Found decoder for .rar at
/usr/bin/7z (backup, not used)
More logs about RAR decode: (p002)
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) p002 1/1/2 Content-Type:
application/octet-stream, size: 72549 B, name: regedit.rar
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) Charging 6101 bytes to
remaining quota 54834337 (out of 54907000, (0%)) - by mime_decode
[...]
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) decode_parts: level=1,
#parts=5 : p001, p002, p003, p004, p005
[...]
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[map_full_type_to_short_type] => true, "RAR archive data, v1d, os: Win32"
matches, result="rar", matching_key="(?i-xsm:^RAR archive\134b)"
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) File-type of p002: RAR
archive data, v1d, os: Win32; (rar)
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[map_full_type_to_short_type] => true, "data" matches, result="dat",
matching_key="(?-xism:^data\134z)"
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) File-type of p003: data;
(dat)
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) decompose_part: p001 -
atomic
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) Expanding RAR archive p002
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) Charging 427008 bytes to
remaining quota 54828236 (out of 54907000, (1%)) - by do_unrar-pre
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) flatten_and_tidy_dir:
processing directory
"/var/amavis/tmp/amavis-20130506T130648-01410-7TLy4blY/parts/rar"
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) Charging 0 bytes to
remaining quota 54828236 (out of 54907000, (0%)) - by do_unrar
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[keep_decoded_original] => undef, "RAR archive data, v1d, os: Win32" does
not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) decompose_part: p002 -
archive, unpacked
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) decompose_part: p003 -
atomic
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[bypass_header_checks] => undef, "sebastien at wenske.fr" does not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[bypass_header_checks] => undef, "sebastien at wenske.fr" does not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) Checking for banned types
and filenames
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_filename], 1
matches for "sebastien at wenske.fr", results: "(constant:DEFAULT)"=>"DEFAULT"
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) collect banned table[0]:
sebastien at wenske.fr, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x3491dd0)
[...]
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) check_for_banned
(p004,p005,p002) multipart/signed | multipart/mixed |
application/octet-stream,.rar,regedit.rar
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[check_bann:sebastien at wenske.fr] => undef,
["multipart/signed","multipart/mixed","application/octet-stream",".rar","reg
edit.rar"] does not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_namepath_re]
=> undef,
"P=p004\tL=1\tM=multipart/signed\nP=p005\tL=1/1\tM=multipart/mixed\nP=p002\t
L=1/1/2\tM=application/octet-stream\tT=rar\tN=regedit.rar" does not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) p.path sebastien at wenske.fr:
"P=p004,L=1,M=multipart/signed | P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=rar,N=regedit.rar"
Cheers,
S. WENSKE
-----Message d'origine-----
De : amavis-users
[mailto:amavis-users-bounces+sebastien=wenske.fr at amavis.org] De la part de
Linus Haake
Envoyé : lundi 6 mai 2013 16:25
À : amavis-users at amavis.org
Objet : AW: Banned files in RAR vs ZIP
Did you have some encoder installed for RAR?
whilst restarting amavisd, you should see something like this in the log:
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .F at
/usr/bin/unfreeze
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .Z at
/usr/bin/uncompress
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .gz at
/usr/bin/gzip -d
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .bz2 at
/usr/bin/bzip2 -d
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .xz at
/usr/bin/xzdec
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .lzma at
/usr/bin/lzmadec
May 6 16:24:09 mail2 amavis[32340]: No ext program for .lrz, tried: lrzip
-q -k -d -o -, lrzcat -q -k
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .lzo at
/usr/bin/lzop -d
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .rpm at
/usr/bin/rpm2cpio
May 6 16:24:09 mail2 amavis[32340]: No ext program for .cpio, tried: pax
May 6 16:24:09 mail2 amavis[32340]: No ext program for .tar, tried: pax
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .deb at
/usr/bin/ar
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .rar at
/usr/bin/unrar
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .arj at
/usr/bin/arj
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .arc at
/usr/bin/nomarch
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .zoo at
/usr/bin/zoo
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .doc at
/usr/bin/ripole
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .cab at
/usr/bin/cabextract
May 6 16:24:09 mail2 amavis[32340]: Internal decoder for .tnef
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .zip at
/usr/bin/7za
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .kmz at
/usr/bin/7za
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .7z at
/usr/bin/7za
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .tar at
/usr/bin/7za
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .jar at
/usr/bin/7z
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .cpio at
/usr/bin/7z
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .swf at
/usr/bin/7z
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .lha at
/usr/bin/7z
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .iso at
/usr/bin/7z
May 6 16:24:09 mail2 amavis[32340]: Found decoder for .exe at
/usr/bin/unrar; /usr/bin/lha; /usr/bin/arj
May 6 16:24:09 mail2 amavis[32340]: No decoder for .lrz
Cheers
________________________________________
Von: amavis-users [amavis-users-bounces+linus=haake-it.net at amavis.org]"
im Auftrag von "Sébastien WENSKE [sebastien at wenske.fr]
Gesendet: Montag, 6. Mai 2013 16:13
An: amavis-users at amavis.org
Betreff: Banned files in RAR vs ZIP
Hi list,
I've notice that banned files are well blocked in ZIP files but not in RAR
files.
I compressed the same exe file twice (ZIP and RAR), it will be blocked as
ZIP but not as RAR :
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) p002 1/1/2 Content-Type:
application/octet-stream, size: 72549 B, name: regedit.rar May 6 15:28:56
smtp01 amavis[1410]: (01410-17) check_for_banned
(p004,p005,p002) multipart/signed | multipart/mixed |
application/octet-stream,.rar,regedit.rar
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup
[check_bann:sebastien at wenske.fr] => undef,
["multipart/signed","multipart/mixed","application/octet-stream",".rar","reg
edit.rar"]
does not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) lookup [banned_namepath_re]
=> undef,
"P=p004\tL=1\tM=multipart/signed\nP=p005\tL=1/1\tM=multipart/mixed\nP=p002\t
L=1/1/2\tM=application/octet-stream\tT=rar\tN=regedit.rar"
does not match
May 6 15:28:56 smtp01 amavis[1410]: (01410-17) p.path sebastien at wenske.fr:
"P=p004,L=1,M=multipart/signed | P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=rar,N=regedit.rar"
May 6 15:29:01 smtp01 amavis[1410]: (01410-17) save_info_final
0ikUThnn8qfs, orig=Y, chks=VSHB, cont.ty=C, q.type= , q.to=, dsn=N,
score=1.274, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B12A at HQ0SBS01.airtag.local>, From:
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject:
'Envoi d\134342\134200\134231un message\134302\134240: regedit'
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
---------
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) p002 1/1/2 Content-Type:
application/octet-stream, size: 79750 B, name: regedit.zip May 6 15:29:21
smtp01 amavis[1719]: (01719-14) check_for_banned
(p004,p005,p002,p006) multipart/signed | multipart/mixed |
application/octet-stream,.zip,regedit.zip | .exe,.exe-ms,regedit.exe May 6
15:29:21 smtp01 amavis[1719]: (01719-14) lookup
[check_bann:sebastien at wenske.fr] => true,
["multipart/signed","multipart/mixed","application/octet-stream",".zip","reg
edit.zip",".exe",".exe-ms","regedit.exe"]
matches, result="1", matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) p.path BANNED:1
sebastien at wenske.fr: "P=p004,L=1,M=multipart/signed |
P=p005,L=1/1,M=multipart/mixed |
P=p002,L=1/1/2,M=application/octet-stream,T=zip,N=regedit.zip |
P=p006,L=1/1/2/1,T=exe,T=exe-ms,N=regedit.exe",
matching_key="(?-xism:^\134.(exe-ms|dll)$)"
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) blocking ccat=8, SMTP
response: 250 2.7.0 Ok, discarded, id=01719-14 - BANNED:
.exe,.exe-ms,regedit.exe
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) notif=N, suppressed=0,
ndn_needed=, exit=99, 250 2.7.0 Ok, discarded, id=01719-14 - BANNED:
.exe,.exe-ms,regedit.exe
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) Blocked BANNED
(.exe,.exe-ms,regedit.exe) {DiscardedOutbound,Quarantined}, MYNETS LOCAL
[10.4.0.10]:58026 [10.4.0.10] <sebastien.wenske at fr.airtag.com> ->
<sebastien at wenske.fr>, quarantine: banned-ut82zwN_K7V8, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, mail_id:
ut82zwN_K7V8, Hits: -, size: 119672, 188 ms May 6 15:29:21 smtp01
amavis[1719]: (01719-14) save_info_final ut82zwN_K7V8, orig=Y, chks=VHB,
cont.ty=B, q.type=F, q.to=banned-ut82zwN_K7V8, dsn=N, score=0, Message-ID:
<9CBF6CE6B71A7C4BB7030FE9A279B8022034B13C at HQ0SBS01.airtag.local>, From:
'S\134303\134251bastien WENSKE <sebastien.wenske at fr.airtag.com>', Subject:
'Envoi d\134342\134200\134231un message\134302\134240: regedit'
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) sending SMTP response: "250
2.7.0 Ok, discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe"
May 6 15:29:21 smtp01 amavis[1719]: (01719-14) ESMTP> 250 2.7.0 Ok,
discarded, id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe May 6 15:29:21
smtp01 postfix/smtp[2268]: 4FEF02040E:
to=<sebastien at wenske.fr>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21,
delays=0.02/0/0/0.19, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
id=01719-14 - BANNED: .exe,.exe-ms,regedit.exe)
Any advice?
Regards,
S. WENSKE
More information about the amavis-users
mailing list