banned PDF files
Patrick Ben Koetter
p at sys4.de
Mon May 20 18:21:28 CEST 2013
* Lucio Chiappetti <lucio at lambrate.inaf.it>:
> We have an amavis/spamassassin/sendmail (milter) arrangement we are
> happily using since ages. Our arrangement foresees D_PASS for
> "banned" and "bad header", D_DISCARD for virus, and D_REJECT for
> spam. Moreover all these are sent to a cumulative (institute-wide)
> quarantine folder. A crontab cycles daily the quarantine folder, and
> sends to each user a report with a list of the quarantined items.
It's more likely your virus scanner detected it as PUA
p at rick
> One of our users had recently found that a PDF file was listed in
> this report (he had also regularly received the message with the PDF
> attachment because of the D_PASS for "banned") and was confused (so
> were we).
> From the mail log
> May 17 23:02:09 helios amavis: (r4HL21St019249) Passed BANNED
> AM.CL-SOCK [155.253.16.xx] [129.105.65.yy] <originator at gmail.com> ->
> <addressee>, quarantine: /var/spool/amavis/spam, Message-ID:
> <51969AAA.3090301 at northwestern.edu>, mail_id: oycjWRQQHjZk, Hits:
> -0.645, size: 5043213, 1820 ms
> it results that the message was banned because of the
> "application/x-msdownload,.pdf" declaration.
> What is this ".pdf", a sort of MIME subtype of the main type
> application/x-msdownload ?
> I suspect the attachment was incorrectly typed (not application/pdf)
> by the sending software (or could it be a gmail issue ?)
> Now the question is:
> 1) would be a good idea to let the pdf subtype of application/x-msdownload
> "go through' (i.e. not banned at all), or there is a risk of fakes ?
> 2) if it is a good idea, how can one implement it ?
> I report the non-commented entries from /etc/amavisd.conf
> (AFAIK this part is unchanged from the distributed one)
> $banned_filename_re = new_RE(
> qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
> [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
> qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
> qr'^application/x-msdownload$'i, # block these MIME types
> qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the amavis-users