banned PDF files

Patrick Ben Koetter p at sys4.de
Mon May 20 18:21:28 CEST 2013 

* Lucio Chiappetti <lucio at lambrate.inaf.it>:
> We have an amavis/spamassassin/sendmail (milter) arrangement we are
> happily using since ages. Our arrangement foresees D_PASS for
> "banned" and "bad header", D_DISCARD for virus, and D_REJECT for
> spam. Moreover all these are sent to a cumulative (institute-wide)
> quarantine folder. A crontab cycles daily the quarantine folder, and
> sends to each user a report with a list of the quarantined items.

It's more likely your virus scanner detected it as PUA
<http://lurker.clamav.net/message/20130322.151222.8e3d6877.de.html>.

p at rick



> 
> One of our users had recently found that a PDF file was listed in
> this report (he had also regularly received the message with the PDF
> attachment because of the D_PASS for "banned") and was confused (so
> were we).
> 
> From the mail log
> 
> May 17 23:02:09 helios amavis[18262]: (r4HL21St019249) Passed BANNED
> (application/x-msdownload,.pdf,magnetars_sgrA_v4_DH_comments.pdf),
> AM.CL-SOCK [155.253.16.xx] [129.105.65.yy] <originator at gmail.com> ->
> <addressee>, quarantine: /var/spool/amavis/spam, Message-ID:
> <51969AAA.3090301 at northwestern.edu>, mail_id: oycjWRQQHjZk, Hits:
> -0.645, size: 5043213, 1820 ms
> 
> it results that the message was banned because of the
> "application/x-msdownload,.pdf" declaration.
> 
> What is this ".pdf", a sort of MIME subtype of the main type
> application/x-msdownload ?
> 
> I suspect the attachment was incorrectly typed (not application/pdf)
> by the sending software (or could it be a gmail issue ?)
> 
> Now the question is:
> 
> 1) would be a good idea to let the pdf subtype of application/x-msdownload
>    "go through' (i.e. not banned at all), or there is a risk of fakes ?
> 
> 2) if it is a good idea, how can one implement it ?
>    I report the non-commented entries from /etc/amavisd.conf
>    (AFAIK this part is unchanged from the distributed one)
> 
> $banned_filename_re = new_RE(
>   qr'^\.(exe-ms|dll)$',               # banned file(1) types, rudimentary
>   [ qr'^\.(rpm|cpio|tar)$' => 0 ],    # allow any in Unix-type archives
>   qr'.\.(pif|scr)$'i,                 # banned extensions - rudimentary
>   qr'^application/x-msdownload$'i,    # block these MIME types
>   qr'^application/x-msdos-program$'i,
>   qr'^application/hta$'i,
>   qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
>   qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
> );
> 
> Thanks
> 

-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list