Amavisd-new Attachment blocking

Matthew Beechey - Mobius matt at mobius.co.nz
Thu Apr 9 07:07:12 CEST 2015 

I want to do something that in itself seems easy but is proving
difficult.

 

What I'd like is to block ANY attachment other than a whitelist eg

 

DOCX / XLSX / DOC / XLS / JPG / JPEG / PNG / GIF / PDF

 

I'm using the following in my config:

 

$banned_filename_re = new_RE(

 

  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class
ID CLSID, strict

 

  qr'^application/x-msdownload$'i,                  # block these MIME
types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

 

  qr'^\.(exe-ms)$',                       # banned file(1) types

 

  [qr'^\.(jpeg|jpg|png|gif|bmp|tnef|doc|\.docx|xls|xlsx|ppt|pptx|pdf)$'
=> 0],

  qr'.\.[a-zA-Z0-9]*$' => 1,

);

 

Whats happening is PDF's are coming through like a dream but DOCX, DOC,
XLS, XLSX are all getting blocked with the following

 

X-Amavis-Alert: BANNED, message contains
application/msword,.dat,testdoc.doc

 

X-Amavis-Alert: BANNED, message contains

 
application/vnd.openxmlformats-officedocument.wordprocessingml.document,
.dat,matttest.docx

 

So it appears something about the Mime type is overriding my allowing of
the extension???

 

If I take jpg out of the allowed extension list it blocks it - Put it
back and it gets through - Why do DOC and DOCX not behave the same?

 

Its getting too hard to block attachment types - I thought I'd been
pretty thorough in the past until the latest cryptowall coming through
as .JS files which then download the actual virus and execute it. I
figure to block EVERY file extension that coule potentially be exploited
is just too dangerous and instead we should work it backward and
actually allow types that you are happy with.

 

Any help on this would be greatly appreciated - I've had 4 customers
with cryptowall lately - Luckily none of them were people using my Spam
gateways running Amavis and Spamassasin but I want to keep it that way.
Amazingly these cryptowall emails with a zipped .JS are sailing right
through Microsoft Office 365 which is a little scary - Their spam rules
didn't get it and obviously they don't block any attachments at all
appart from the ones Outlook will make difficult (.EXE .SCR etc)

 

Regards,

 

Matt Beechey

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20150409/03ef489c/attachment.html>

More information about the amavis-users mailing list