banned PDF files

Lucio Chiappetti lucio at lambrate.inaf.it
Mon May 20 12:33:50 CEST 2013 

We have an amavis/spamassassin/sendmail (milter) arrangement we are 
happily using since ages. Our arrangement foresees D_PASS for "banned" and 
"bad header", D_DISCARD for virus, and D_REJECT for spam. Moreover all 
these are sent to a cumulative (institute-wide) quarantine folder. A 
crontab cycles daily the quarantine folder, and sends to each user a 
report with a list of the quarantined items.

One of our users had recently found that a PDF file was listed in this 
report (he had also regularly received the message with the PDF attachment 
because of the D_PASS for "banned") and was confused (so were we).

>From the mail log

May 17 23:02:09 helios amavis[18262]: (r4HL21St019249) Passed BANNED 
(application/x-msdownload,.pdf,magnetars_sgrA_v4_DH_comments.pdf), AM.CL-SOCK 
[155.253.16.xx] [129.105.65.yy] <originator at gmail.com> -> 
<addressee>, quarantine: /var/spool/amavis/spam, Message-ID: 
<51969AAA.3090301 at northwestern.edu>, mail_id: oycjWRQQHjZk, Hits: -0.645, size: 
5043213, 1820 ms

it results that the message was banned because of the 
"application/x-msdownload,.pdf" declaration.

What is this ".pdf", a sort of MIME subtype of the main type 
application/x-msdownload ?

I suspect the attachment was incorrectly typed (not application/pdf) by 
the sending software (or could it be a gmail issue ?)

Now the question is:

1) would be a good idea to let the pdf subtype of application/x-msdownload
    "go through' (i.e. not banned at all), or there is a risk of fakes ?

2) if it is a good idea, how can one implement it ?
    I report the non-commented entries from /etc/amavisd.conf
    (AFAIK this part is unchanged from the distributed one)

$banned_filename_re = new_RE(
   qr'^\.(exe-ms|dll)$',               # banned file(1) types, rudimentary
   [ qr'^\.(rpm|cpio|tar)$' => 0 ],    # allow any in Unix-type archives
   qr'.\.(pif|scr)$'i,                 # banned extensions - rudimentary
   qr'^application/x-msdownload$'i,    # block these MIME types
   qr'^application/x-msdos-program$'i,
   qr'^application/hta$'i,
   qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
   qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
);

Thanks

More information about the amavis-users mailing list