Cannot ban lzh attachment

Nikolaos Milas nmilas at noa.gr
Tue Nov 30 13:35:11 CET 2021


Hello,

On CentOS 8 / amavis 2.12 we are receiving (a significant number of) 
incoming mail, each addressed to a large number of people in our org, 
each with two virus infected attachments: .lzh and .gz extension.

I have configured:

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
    qr'^\.(exe|lha|cab|dll|lzh)$',
...

yet, we are still receiving such mail.

In the amavis log I see:

Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) smtp connection 
cache, dt: 259.8, state: 0
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) body hash: 
88ea8e72cb4058e6a2b97947e14afcad
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p006 1 Content-Type: 
multipart/mixed
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p007 1/1 
Content-Type: multipart/alternative
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p001 1/1/1 
Content-Type: text/plain, 8bit, size: 384, SHA1 digest: 
9baf5152f284a0216a8fb53537a15db0be5ec67e
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p008 1/1/2 
Content-Type: multipart/related
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p002 1/1/2/1 
Content-Type: text/html, QP, size: 4539, SHA1 digest: 
80c0d1a7b3fe22df855ebb91277c954645db4e82
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) trace: 
LMTP://[127.0.0.1]:53138 < ESMTPS://88.198.141.164 < ESMTP://127.0.0.1 < 
ESMTP://127.0.0.1 < ESMTPA://127.0.0.1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) client IP address 
unknown, fetched from Received: 127.0.0.1
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p003 1/1/2/2 
Content-Type: image/png, base64, size: 9250, SHA1 digest: 
c96ee5bd4ec1efdf15b4cd521ebba8ea306de911, name: image002.png
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) Checking: 
XnNQQpoKwM6B [127.0.0.1] <xxxxxxxxxxx at xxxxxxx.gr> -> 
<xxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxx at noa.gr>
,<xxxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxx at noa.gr>,<xxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxx at noa.gr>,<xxxx at noa.gr>,<xxxxxxx at no
a.gr>,<xxxx at noa.gr>,<xxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxxxx at noa.gr>,<xxxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<x
xxxxxx at noa.gr>,<xxxxxxx at noa.gr>,<xxxxxxxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>,<xxxxxxxxx at noa.gr>,<xxxxxxxx at noa.gr>
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) 2822.From: 
<mhatzisavidou at davoline.gr>
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p004 1/2 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.
gz
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p005 1/3 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.
lzh
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p006 1 Content-Type: 
multipart/mixed
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p007 1/1 
Content-Type: multipart/alternative
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p001 1/1/1 
Content-Type: text/plain, 8bit, size: 384, SHA1 digest: 
9baf5152f284a0216a8fb53537a15db0be5ec67e
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p008 1/1/2 
Content-Type: multipart/related
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p002 1/1/2/1 
Content-Type: text/html, QP, size: 4539, SHA1 digest: 
80c0d1a7b3fe22df855ebb91277c954645db4e82
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p003 1/1/2/2 
Content-Type: image/png, base64, size: 9250, SHA1 digest: 
c96ee5bd4ec1efdf15b4cd521ebba8ea306de911, name: image002.png
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p004 1/2 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.
gz
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p005 1/3 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.
lzh
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) (!)Decoding of p004 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) (!)Decoding of p004 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) (!)Decoding of p005 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) (!)Decoding of p005 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) Checking for banned 
types and filenames

...

My questions:

1. Since I have configured .lzh as "BLOCKED ANYWHERE", shouldn't such an 
email be banned, as it contains a file attachment with .lzh extension? 
Why the mail is not getting dropped?

2. Even if the mail (with the banned attachment) is not getting dropped 
(for some unknown reason), why amavis does not seem able to scan it 
("Decoding... failed", see above).

Any replies / suggestions please?

I appreciate your help.

Thanks in advance,
Nick




More information about the amavis-users mailing list