How to reproduce "BANNED" status mail?

Hiroyuki Sato hiroysato at gmail.com
Fri Jun 30 03:15:52 CEST 2017


Helo Patrick Ben Koetter.

I want to know if I got this right.
I understood the below. Is this correct?

1, Virus and Banned check order

  Even amavisd-new doc write the following,
  it is best to consider the order of their evaluation unspecified (unknown),
  But, Amavisd checks a mail the following order.

  (1) Virus check.
  (2) Banned check.

2, Infected mail

  If a mail content found a virus, the status change to "INFECTED".
  This status does not check "Banned" stage.

  Amavisd goes to "Banned" stage if that mail doesn't "INFECTED".

3, Banned mail

  This stage check filename extension in an attached file.
  It checks one of the following headers.

  Content-Type: application/octet-stream; name="hoge.exe"
  Content-Description: hoge.exe
  Content-Disposition: attachment; filename="hoge.exe"


I could reproduce "BANNED" status with the following command.

swaks -t dest at address \
  --attach-name 'test.exe' \
  --attach - \
  --server server \
  -p port \
  --suppress-data \
  --attach-type 'application/octet-stream'  < /tmp/test.exe

Test contents just plain text, it doesn't EICAR string.

Best regards.


2017-06-29 19:35 GMT+09:00 Patrick Ben Koetter <p at sys4.de>:
> * Hiroyuki Sato <hiroysato at gmail.com>:
>> Hello, members.
>>
>> I would like to confirm Amavisd "BANNED" behavior.
>> (I'm investigating why this configuration removes mail contents which
>> judged "BANNED" status.)
>> But I can't reproduce that status with my sample
>> file(Eicar-Test-Signature). It reports "INFECTED" status.
>
> amavis tests for virii before it tests for banned files. If it detects a
> virus it will not test for any other content class, e.g. banned, anymore.
> That's why your EICAR test pattern triggers INFECTED and not BANNED in the
> log.
>
> Send yourself a file with a different suffix (filename) or MIME type *and*
> don't forget to specify the --attach-filename, if you use swaks or filename
> rules in @banned_rules will fail:
>
> $ swaks -f sender at source.test -t recipient at destination.test -s 127.0.0.1 \
>     --attach-type 'application/octet-stream' --attach-filename 'test.exe' \
>     --attach - --suppress-data </tmp/test.exe
>
> p at rick
>
>
> --
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>



-- 
Hiroyuki Sato


More information about the amavis-users mailing list