<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
  <meta name="Generator" content="Kopano WebApp v8.3.0-694">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title>Suspect, mails are banned due to attachent only for single user.</title>
</head>
<body>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">Hi List.<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">We habe amavisd running with no special configuration.<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">we have one recipient for which incomming mails from specific senders are banned due to file extension of attachments.<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">The same mail from the same sender to other recipients are passing clean.<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">I see this in the logfile:<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">Nov 22 09:38:27 mailgw01 amavis[32401]: (32401-12) Blocked BANNED (.pdf,2019-04-16_SomeName.pdf,2019-04-16_SomeName.pdf) {BouncedInbound,Quarantined}, [xxx.xx.xx.85]:52148 [xx.xx.xx.130] <sender@domain.de> -> <recipient@mydomain.org>, quarantine: 4/banned-4lyzTSY40uKi, Queue-ID: 5426F342B09, Message-ID: <DDAD9B4BFD8F0A4E9FA437E95ED9ED2FB4157D@senderdomainl>, mail_id: 4lyzTSY40uKi, Hits: -, size: 729911, 5766 ms<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">This is in out amavisd.conf on a debian 9 system<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">$banned_filename_re = new_RE(<br /># qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components<br /><br />  # block certain double extensions anywhere in the base name<br />  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,<br /><br />  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict<br /><br />  qr'^application/x-msdownload$'i,                  # block these MIME types<br />  qr'^application/x-msdos-program$'i,<br />  qr'^application/hta$'i,<br /><br /># qr'^application/x-msmetafile$'i,      # Windows Metafile MIME type<br /># qr'^\.wmf$',                          # Windows Metafile file(1) type<br /><br /># qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types<br /><br /># [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed<br /># [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives<br /># [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives<br /># [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives<br /><br />  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic<br /># qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|<br />#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|<br />#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|<br />#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long<br /><br /># qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.<br /><br />  qr'^\.(exe-ms)$',                       # banned file(1) types<br /># qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types<br />);<br /># See <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631">http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631#</a><br /> and <a href="http://www.cknow.com/vtutor/vtextensions.htm">http://www.cknow.com/vtutor/vtextensions.htm#</a><br /><br /><br /> ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING<br /><br />@score_sender_maps = ({ # a by-recipient hash lookup table,<br />                        # results from all matching recipient tables are summed<br /><br /># ## per-recipient personal tables  (NOTE: positive: black, negative: white)<br /># 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],<br /># 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],<br /># 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,<br />#                           '.cleargreen.com'           => -5.0}],<br /><br />  ## site-wide opinions about senders (the '.' matches any recipient)<br />  '.' => [  # the _first_ matching sender determines the score boost<br /><br />   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist<br />    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],<br />    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],<br />    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],<br />    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],<br />    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],<br /><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">    [qr'^(your_friend|greatoffers)@'i                                => 5.0],<br />    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],<br />   ),<br /><br />#  read_hash("/var/amavis/sender_scores_sitewide"),<br /><br /># This are some examples for whitelists, since envelope senders can be forged<br /># they are not enabled by default. <br />   { # a hash-type lookup table (associative array)<br />     #'nobody@cert.org'                        => -3.0,<br />     #'cert-advisory@us-cert.gov'              => -3.0,<br />     #'owner-alert@iss.net'                    => -3.0,<br />     #'slashdot@slashdot.org'                  => -3.0,<br />     #'securityfocus.com'                      => -3.0,<br />     #'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,<br />     #'security-alerts@linuxsecurity.com'      => -3.0,<br />     #'mailman-announce-admin@python.org'      => -3.0,<br />     #'amavis-user-admin@lists.sourceforge.net'=> -3.0,<br />     #'amavis-user-bounces@lists.sourceforge.net' => -3.0,<br />     #'spamassassin.apache.org'                => -3.0,<br />     #'notification-return@lists.sophos.com'   => -3.0,<br />     #'owner-postfix-users@postfix.org'        => -3.0,<br />     #'owner-postfix-announce@postfix.org'     => -3.0,<br />     #'owner-sendmail-announce@lists.sendmail.org'   => -3.0,<br />     #'sendmail-announce-request@lists.sendmail.org' => -3.0,<br />     #'donotreply@sendmail.org'                => -3.0,<br />     #'ca+envelope@sendmail.org'               => -3.0,<br />     #'noreply@freshmeat.net'                  => -3.0,<br />     #'owner-technews@postel.acm.org'          => -3.0,<br />     #'ietf-123-owner@loki.ietf.org'           => -3.0,<br />     #'cvs-commits-list-admin@gnome.org'       => -3.0,<br />     #'rt-users-admin@lists.fsck.com'          => -3.0,<br />     #'clp-request@comp.nus.edu.sg'            => -3.0,<br />     #'surveys-errors@lists.nua.ie'            => -3.0,<br />     #'emailnews@genomeweb.com'                => -5.0,<br />     #'yahoo-dev-null@yahoo-inc.com'           => -3.0,<br />     #'returns.groups.yahoo.com'               => -3.0,<br />     #'clusternews@linuxnetworx.com'           => -3.0,<br />     #lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,<br />     #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,<br /><br />     # soft-blacklisting (positive score)<br />     #'sender@example.net'                     =>  3.0,<br />     #'.example.net'                           =>  1.0,<br /><br />   },<br />  ],  # end of site-wide tables<br />});<br /><br />1;  # ensure a defined return<br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;"><br /></span></p>
<p style="padding: 0; margin: 0;"><span style="font-size: 10pt; font-family: tahoma, arial, helvetica, sans-serif;">Any hits for us to evaluate the problem?<br /></span></p>
</body>
</html>