Meaning of ".asc" in BANNED messages

Thomas Jarosch thomas.jarosch at
Thu Mar 10 15:29:43 CET 2016

On Tuesday, 8. March 2016 16:36:11 @lbutlr wrote:
> >> There is no way that every one of these javascript-containing
> >> messages has a pgp signature.
> > 
> > It's probably an evil javascript simply trying to mask as a pgp sig.
> No. *EVERY* message that hits BANNED has the same pattern,
> .asc,<something>.js
> 100%. No exceptions.
> Considering I can count on one hand with not all the fingers the number of
> spam messages I’ve ever seen with faked PGP sig, this is something else.

we had the same problem: Some local users are allowed to send/receive
PGP encrypted emails. Therefore we had .asc whitelisted for them
which overrides our banned attachment rules (including .js).

The problem with that javascript-virus.js file is that the file(1) utility
detects it as ASCII text which amavisd-new internally translates to .asc.
(see $map_full_type_to_short_type_re in amavisd)

-> So while .js is blocked, the .asc part overrides it.

Increase the $log_level of amavisd-new and then you can see it in the 
verbose log messages. I was surprised to find a .js file in my INBOX this 
morning, too :)


More information about the amavis-users mailing list