Suspect, mails are banned due to attachent only for single user.

Lukas Mensinck (private) lukas at mensinck.de
Fri Nov 22 10:36:34 CET 2019


Hi List.





We habe amavisd running with no special configuration.



we have one recipient for which incomming mails from specific senders are banned due to file extension of attachments.

The same mail from the same sender to other recipients are passing clean.



I see this in the logfile:



Nov 22 09:38:27 mailgw01 amavis[32401]: (32401-12) Blocked BANNED (.pdf,2019-04-16_SomeName.pdf,2019-04-16_SomeName.pdf) {BouncedInbound,Quarantined}, [xxx.xx.xx.85]:52148 [xx.xx.xx.130] <sender at domain.de> -> <recipient at mydomain.org>, quarantine: 4/banned-4lyzTSY40uKi, Queue-ID: 5426F342B09, Message-ID: <DDAD9B4BFD8F0A4E9FA437E95ED9ED2FB4157D at senderdomainl>, mail_id: 4lyzTSY40uKi, Hits: -, size: 729911, 5766 ms





This is in out amavisd.conf on a debian 9 system





$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^application/x-msmetafile$'i,      # Windows Metafile MIME type
# qr'^\.wmf$',                          # Windows Metafile file(1) type

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631# <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631> 
 and http://www.cknow.com/vtutor/vtextensions.htm# <http://www.cknow.com/vtutor/vtextensions.htm> 


 ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING

@score_sender_maps = ({ # a by-recipient hash lookup table,
                        # results from all matching recipient tables are summed

# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
# 'user1 at example.com'  => [{'bla-mobile.press at example.com' => 10.0}],
# 'user3 at example.com'  => [{'.ebay.com'                 => -3.0}],
# 'user4 at example.com'  => [{'cleargreen at cleargreen.com' => -7.0,
#                           '.cleargreen.com'           => -5.0}],

  ## site-wide opinions about senders (the '.' matches any recipient)
  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],


    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

# This are some examples for whitelists, since envelope senders can be forged
# they are not enabled by default. 
   { # a hash-type lookup table (associative array)
     #'nobody at cert.org'                        => -3.0,
     #'cert-advisory at us-cert.gov'              => -3.0,
     #'owner-alert at iss.net'                    => -3.0,
     #'slashdot at slashdot.org'                  => -3.0,
     #'securityfocus.com'                      => -3.0,
     #'ntbugtraq at listserv.ntbugtraq.com'       => -3.0,
     #'security-alerts at linuxsecurity.com'      => -3.0,
     #'mailman-announce-admin at python.org'      => -3.0,
     #'amavis-user-admin at lists.sourceforge.net'=> -3.0,
     #'amavis-user-bounces at lists.sourceforge.net' => -3.0,
     #'spamassassin.apache.org'                => -3.0,
     #'notification-return at lists.sophos.com'   => -3.0,
     #'owner-postfix-users at postfix.org'        => -3.0,
     #'owner-postfix-announce at postfix.org'     => -3.0,
     #'owner-sendmail-announce at lists.sendmail.org'   => -3.0,
     #'sendmail-announce-request at lists.sendmail.org' => -3.0,
     #'donotreply at sendmail.org'                => -3.0,
     #'ca+envelope at sendmail.org'               => -3.0,
     #'noreply at freshmeat.net'                  => -3.0,
     #'owner-technews at postel.acm.org'          => -3.0,
     #'ietf-123-owner at loki.ietf.org'           => -3.0,
     #'cvs-commits-list-admin at gnome.org'       => -3.0,
     #'rt-users-admin at lists.fsck.com'          => -3.0,
     #'clp-request at comp.nus.edu.sg'            => -3.0,
     #'surveys-errors at lists.nua.ie'            => -3.0,
     #'emailnews at genomeweb.com'                => -5.0,
     #'yahoo-dev-null at yahoo-inc.com'           => -3.0,
     #'returns.groups.yahoo.com'               => -3.0,
     #'clusternews at linuxnetworx.com'           => -3.0,
     #lc('lvs-users-admin at LinuxVirtualServer.org')    => -3.0,
     #lc('owner-textbreakingnews at CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)
     #'sender at example.net'                     =>  3.0,
     #'.example.net'                           =>  1.0,

   },
  ],  # end of site-wide tables
});

1;  # ensure a defined return







Any hits for us to evaluate the problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20191122/cafac14e/attachment.html>


More information about the amavis-users mailing list