Amavisd-new file attachment blocking
Matthew Beechey - Mobius
matt at mobius.co.nz
Thu Apr 9 07:11:06 CEST 2015
I want to do something that in itself seems easy but is proving
difficult.
What I'd like is to block ANY attachment other than a whitelist eg
DOCX / XLSX / DOC / XLS / JPG / JPEG / PNG / GIF / PDF
I'm using the following in my config:
$banned_filename_re = new_RE(
qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class
ID CLSID, strict
qr'^application/x-msdownload$'i, # block these MIME
types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'^\.(exe-ms)$', # banned file(1) types
[qr'^\.(jpeg|jpg|png|gif|bmp|tnef|doc|\.docx|xls|xlsx|ppt|pptx|pdf)$'
=> 0],
qr'.\.[a-zA-Z0-9]*$' => 1,
);
Whats happening is PDF's are coming through like a dream but DOCX, DOC,
XLS, XLSX are all getting blocked with the following
X-Amavis-Alert: BANNED, message contains
application/msword,.dat,testdoc.doc
X-Amavis-Alert: BANNED, message contains
application/vnd.openxmlformats-officedocument.wordprocessingml.document,
.dat,matttest.docx
So it appears something about the Mime type is overriding my allowing of
the extension???
If I take jpg out of the allowed extension list it blocks it - Put it
back and it gets through - Why do DOC and DOCX not behave the same?
Its getting too hard to block attachment types - I thought I'd been
pretty thorough in the past until the latest cryptowall coming through
as .JS files which then download the actual virus and execute it. I
figure to block EVERY file extension that coule potentially be exploited
is just too dangerous and instead we should work it backward and
actually allow types that you are happy with.
Any help on this would be greatly appreciated - I've had 4 customers
with cryptowall lately - Luckily none of them were people using my Spam
gateways running Amavis and Spamassasin but I want to keep it that way.
Amazingly these cryptowall emails with a zipped .JS are sailing right
through Microsoft Office 365 which is a little scary - Their spam rules
didn't get it and obviously they don't block any attachments at all
appart from the ones Outlook will make difficult (.EXE .SCR etc)
Regards,
Matt Beechey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150409/f7baa6e1/attachment.html>
More information about the amavis-users
mailing list