Meaning of ".asc" in BANNED messages
Thomas Jarosch
thomas.jarosch at intra2net.com
Thu Mar 10 15:29:43 CET 2016
On Tuesday, 8. March 2016 16:36:11 @lbutlr wrote:
> >> There is no way that every one of these javascript-containing
> >> messages has a pgp signature.
> >
> > It's probably an evil javascript simply trying to mask as a pgp sig.
>
> No. *EVERY* message that hits BANNED has the same pattern,
>
> .asc,<something>.js
>
> 100%. No exceptions.
>
> Considering I can count on one hand with not all the fingers the number of
> spam messages I’ve ever seen with faked PGP sig, this is something else.
we had the same problem: Some local users are allowed to send/receive
PGP encrypted emails. Therefore we had .asc whitelisted for them
which overrides our banned attachment rules (including .js).
The problem with that javascript-virus.js file is that the file(1) utility
detects it as ASCII text which amavisd-new internally translates to .asc.
(see $map_full_type_to_short_type_re in amavisd)
-> So while .js is blocked, the .asc part overrides it.
Increase the $log_level of amavisd-new and then you can see it in the
verbose log messages. I was surprised to find a .js file in my INBOX this
morning, too :)
HTH,
Thomas
More information about the amavis-users
mailing list