Good banned_filename_maps or banned_filename_re Documentation

amavis amavis at mobius.co.nz
Sun Mar 13 22:23:16 CET 2016


Can anyone point me to some extensive documentation on the
Banned_filename_maps handling??

 

I've looked and looked and can't find any that covers it extensively.
I'm hitting walls with my rules - Because I don't want to block TNEF as
many businesses send each other mail in this format I have a lot getting
through that shouldn't. I try and allow DOC (with ClamAV stopping any
containing macro's) but AMAVIS identifies it as a mime type of DAT. If I
allow DAT then that rule then allows pretty much any
application/octet-stream through.

 

What I'm trying hard to achieve is essentially a whitelist of extensions
so allow

 

.DOC .DOCX .XLS .XLSX .JPG .JPEG .GIF .PNG .TXT .ASC .PDF

 

And then block anything else but because of the way it seems to put Mime
mapping ahead of literal filename extensions things end up not working.
A .DOC gets blocked on the mime type, adding the rule to allow that mime
type means a .GFD random binary file gets let through. I know if we
ignore mime types and real file type analysis in theory a user could be
emailed an EXE file with instructions to save it and rename it and then
run it but in reality the people who are going to be stupid enough to
open what most would see as an obvious malware dropper aren't going to
handle those instructions.

 

I know that with REGEX a ^ at the start is if looking for a match at the
beginning of the string but I saw another thread talking about
Banned_Filename_maps that having the ^ (or perhaps not having it, lost
the thread) denoted whether looking at the filename as detected by the
file command or looking at the filename reported in the email body but
it didn't work for me. I'd like to be handling the email reported
filename as that the one that counts.

 

Again - Its not just Regular expressions I need as the problem is I'm
not certain of what data is being fed to the regular expression to
handle.

 

The idea of having a list of types to block is becoming too dangerous as
the Cryptolocker authors are getting too clever with their droppers.
Nearly every attachment blocking example I've seen for amavis ignores
.JAR and yet I've seen a .JAR dropper via email recently so relying on
people to thing of every potentially dangerous file type is too risky.
These guys will try the super obscure as it's a numbers game and even if
they try a filetype that only one piece of proprietary software will
script they'll try it if it gets around blockers.

 

Any help on this is greatly appreciated. I don't want to have to learn
python and get the source code for Amavisd-new to understand how the
feature works but the documentation I've found is either VERY simplistic
or missing altogether. I can't find ANY reference to the
BANNED_FILENAME_MAPS in the manual at all other than a mention of the
command existing.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20160314/c4a8b795/attachment.html>


More information about the amavis-users mailing list