X-Amavis-Alert: BANNED, message contains x.com

[Nick Tait]

On 17/07/2024 4:48 am, Thomas Barth wrote:
> Hello,
>
> today a mail has been banned (false positive). It says message 
> contains x.com
>
> X-Quarantine-ID: <gUr-nLm4MOSm>
> X-Amavis-Alert: BANNED, message contains x.com
>
>
> I couldnt find x.com in the mail body itself, but the mail had a 
> zipfile as an attachment. The zip file probably contains invoices.
>
> I grepped for x.com in the config files, but I couldnt find a rule.
>
> grep -nri "x.com" /etc/amavis/
> /etc/amavis/conf.d/20-debian_defaults:123:# [ 
> qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
> /etc/amavis/conf.d/20-debian_defaults:200: 
> #'clusternews at linuxnetworx.com'           => -3.0,
>
> In the journal:
> Jul 16 14:55:07 mx2 amavis[578842]: (578842-12) Blocked BANNED (x.com) 
> {DiscardedInbound,Quarantined}, [209.85.128.42]:58456 
> [2a02:2455:17d4:d000:2d23:f49f:1017:f822] <user at fromexample.com> -> 
> <user at toexample.com>, quarantine: q/banned->
> Jul 16 14:55:07 mx2 postfix/smtpd[582562]: proxy-accept: 
> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=578842-12 - BANNED: x.com; 
> ...
>
> Anyone have any idea what's going wrong here?
>
> Thomas B

Hi Thomas.

I believe the culprit is the following line in 
/etc/amavis/conf.d/20-debian_defaults:

    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

...which is designed to block filenames that have a ".com" extension. 
i.e. You could try removing com from that expression?

Please also be aware of this one:

    # block certain double extensions anywhere in the base name
       qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

...which could get a hit on directories that include ".com." in the name 
(e.g. if a directory was named "google.com.au").

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20240717/a632f53e/attachment.htm>