python scripts banned from amavisd

bortolotti daniela.bortolotti at bo.infn.it
Tue Aug 25 13:22:41 CEST 2015 

Good morning,
we have a problem with amavisd because mail including
pyhton files (in attachment or into the message body) are banned.

The system sends an alert to the recipient like this:


From: "Content-filter at postinat1.bo.infn.it" <virusalert at bo.infn.it>
 > Subject: BANNED contents (.exe,gfal_metadata.py) in mail TO YOU from 
<.....................>
 > Date: 21 Aug 2015 15:42:51 GMT+2
 > To: < .......... >
 >
 > BANNED CONTENTS ALERT
 >
 > Our content checker found
 > banned name: .exe,gfal_metadata.py
 >
 > in an email to you from:
 > ..............
 >
 > Content type: Banned



We use amavisd-new-2.10.1-4.el7.noarch
The rules fixed in amavisd.conf are the following:

---------------------------------------------------------------------------------------------------------------------
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
   qr'^\.(exe-ms|dll)$',                   # banned file(1) types, 
rudimentary
   qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
   [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

   qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
# qr'^\.zip$',                            # block zip type

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
   [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

#  qr'^application/x-msdownload$'i,        # block these MIME types
   qr'^application/x-msdos-program$'i,
   qr'^application/hta$'i,

# qr'^message/partial$'i,         # rfc2046 MIME type
# qr'^message/external-body$'i,   # rfc2046 MIME type

# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile 
MIME type
# qr'^\.wmf$',                            # Windows Metafile file(1) type

   # block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,

# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, 
strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension 
CLSID, loose

   qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
#        wmf|wsc|wsf|wsh)$'ix,                # banned extensions - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
# qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons 
filename
# qr'^\.ani$',                            # banned animated cursor 
file(1) type
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip 
vulnerab.
);
----------------------------------------------------------------------------------------------------------------------


Is it possible whitelist python scripts?
Can you help me?

Thanks a lot in advance.

Best regards
Daniela Bortolotti

More information about the amavis-users mailing list