.eml attachments is not scanned

Thomas M Steenholdt tmus at tmus.dk
Fri Jan 30 02:15:32 CET 2015


On 2015-01-22 14:11, Thomas M Steenholdt wrote:
> On 2015-01-22 14:04, Thomas M Steenholdt wrote:
>> On 2015-01-21 11:39, Thomas M Steenholdt wrote:
>>> Hi there,
>>>
>>> I'm looking for a way to process attached e-mails (forwarded as
>>> attachment) with amavisd-new.
>>>
>>> - Sending myself an email, containing a zipped executable. Amavis blocks
>>> it just fine.
>>> - Sending the same mail, attached in another email, lets it through.
>>>
>>> Suggestions? Am I perhaps simply missing an important component somewhere?
>>>
>>> Cheers
>>>
>>> /Thomas
>> For what it's worth, it seems like "file" identifies the attachment as
>> "ASCII text" and I suspect this makes Amavis skip the analysis of the
>> attachment. Can somebody confirm this?
>>
>> It should be fairly easy to make "file" return something else for this
>> type of file. Any suggestions to what we'd want it to return for an .eml
>> file to be properly processed?
>>
>> /Thomas
> Hmm, that doesn't actually seem to be the case:
>
> Jan 22 14:06:48 hurly amavis[24149]: (24149-01) p.path ttt at example.com:
> "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc"
> Jan 22 14:06:48 hurly amavis[24149]: (24149-01) p.path ttt at example.com:
> "P=p003,L=1,M=multipart/mixed |
> P=p002,L=1/2,M=message/rfc822,T=asc,N=test v.eml"
>
> "test v.eml" is the forwarded (as attachment) email, containing the
> banned file I'm looking to have amavis block.
>
> It just doesn't seem to go any deeper than this.
>
> /Thomas

Still no dice... Is it really not possible to make Amavis open and scan
an attached email (.eml - eg. forward as attachment in thunderbird)?
Right now I'm completely able to bypass all content filtering. Blocked
files such as .scr, .exe and everything is passed right through...

My point is, that it people are naive enough to double-click a zip-file
received from an unknown sender, then double-click another zip-file,
then double-click the latest crypto-trojan .scr executable inside it
(and believe me - it happens), having to double-click the forwarded
e-mail containing all this nonsense is probably not going to keep them
from doing just that.

Ideas?

/Thomas


More information about the amavis-users mailing list