Hi Golf, > After we try to disable this configure to check .exe , .exe-ms , and > test with email that include ban content email > then that email could pass normally and never block ban . > ### amavisd.conf for BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or > contains any undecipherable components > #qr'^\.(exe|exe-ms|dll)$', # banned file(1) types, > rudimentary
I would try to disable each term of the query one after the other, try: qr'^\.(exe-ms|dll)$', qr'^\.(exe|dll)$', qr'^\.(exe|exe-ms)$', one after the other and see which one is working or not. I still strongly suspect Lotus note to add some stupid signature with some banned attachement in it, but this you can only see in the mail in /var/virusmal/banned Best regards, Olivier > So we surely this kind of blocking relate with this configure line. > qr'^\.(exe|exe-ms|dll)$', # banned file(1) types, > rudimentary > > So I also try to find this kind of problem on amavis forum , > They said about file(1) , But my file version already version 5.14 . > > So any recommendation to fix or any hints on this issue ? > > Please do not hesitate to contact us , If you have any questions . > Best Regards. > ################################ > # Watthanachai KEKHUA (Golf) > ################################# > > DISCLAIMER : > This email is for the use of the intended recipient(s) only. > If you have received this email in error, please notify the sender > immediately and then delete it. > If you are not the intended recipient, you must not keep, use, disclose, copy > or distribute this email without the author's prior permission. > We have taken precautions to minimise the risk of transmitting software > viruses, but we advise you to carry out your own virus checks on any > attachment to this message. > We cannot accept liability for any loss or damage caused by software viruses. > The information contained in this communication may be confidential and may > be subject to the attorney-client privilege. > If you are the intended recipient and you do not wish to receive similar > electronic messages from us in future then please respond to the sender to > this effect. > > -----Original Message----- > From: Olivier Nicole [mailto:[email protected]] > Sent: Wednesday, March 11, 2015 3:39 PM > To: Watthanachai Kekhua > Cc: [email protected] > Subject: Re: BANNED, message contains text/plain,.exe issue. > > Dear Golf, > > Watthanachai Kekhua <[email protected]> writes: > >> To Mr.Olivier, >> CC: Amavisd users >> >> After we have considered and deep checked and then we found this error >> related with this configure below "amavisd.conf" , ### amavisd.conf for >> BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any >> undecipherable components >> qr'^\.(exe|exe-ms|dll)$', # banned file(1) types, >> rudimentary > > Usually it is not only qr'^\.(exe|exe-ms|dll)$, but it is many lines like in > my configuration: > > $banned_filename_re = new_RE( > > ### BLOCKED ANYWHERE > # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components > qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary > # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types > > ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: > # [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 > [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives > > qr'.\.(pif|scr)$'i, # banned extensions - rudimentary > # qr'^\.zip$', # block zip type > > ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: > # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives > > qr'^application/x-msdownload$'i, # block these MIME types > qr'^application/x-msdos-program$'i, > qr'^application/hta$'i, > > # qr'^message/partial$'i, # rfc2046 MIME type > # qr'^message/external-body$'i, # rfc2046 MIME type > > # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type > # qr'^\.wmf$', # Windows Metafile file(1) type > > # block certain double extensions in filenames > > qr'\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, > > # qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, > strict # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension > CLSID, loose > > qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic > # qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd > # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| > # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| > # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| > # wmf|wsc|wsf|wsh)$'ix, # banned ext - long > # qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename > # qr'^\.ani$', # banned animated cursor file(1) > type > > # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip > vulnerab. > ); > > So you must check every line, not just one line. > >> Due to before enable this configuration , This issue not happened before. >> Once enable this configure to block exe in .zip file , this kind of issue >> begin to happened. >> >> And we also test with below >> 1. Email with normal plain text => still block with (554 5.7.0 Bounce, >> id=30228-09-2 - BANNED: text/plain,.exe) 2. Email with image file => >> still block with (554 5.7.0 Bounce, id=30228-09-2 - BANNED: >> text/plain,.exe) 3. Email with pdf file => still block with (554 5.7.0 >> Bounce, id=30228-09-2 - BANNED: text/plain,.exe) >> >> #All 3 cases maillog message show >> BANNED, message contains text/plain,.exe >> (554 5.7.0 Bounce, id=30228-09-2 - BANNED: text/plain,.exe) >> >> Have anyone ever found this kind of issue when enabled " >> qr'^\.(exe|exe-ms|dll)$', " ? >> And how to fix this kind of issue ? > > You must look at the messages in /var/virusmail/banned and make sure that > Lotus note is not adding somthing in the message, even if you send plain text > message, Lotus note may be doing something to it, the only way is to check > the message in /var/virusmail/banned > > Best regards, > > Olivier > >> >> >> Please do not hesitate to contact us , If you have any questions . >> Best Regards. >> ################################ >> # Watthanachai KEKHUA (Golf) >> # Operation And Maintenance Department (OAM) # Tel: 02-2367227 Ext. >> 1624 # NTT Communications (Thailand) Co., Ltd. >> ################################# >> >> DISCLAIMER : >> This email is for the use of the intended recipient(s) only. >> If you have received this email in error, please notify the sender >> immediately and then delete it. >> If you are not the intended recipient, you must not keep, use, disclose, >> copy or distribute this email without the author's prior permission. >> We have taken precautions to minimise the risk of transmitting software >> viruses, but we advise you to carry out your own virus checks on any >> attachment to this message. >> We cannot accept liability for any loss or damage caused by software viruses. >> The information contained in this communication may be confidential and may >> be subject to the attorney-client privilege. >> If you are the intended recipient and you do not wish to receive similar >> electronic messages from us in future then please respond to the sender to >> this effect. >> >> -----Original Message----- >> From: Olivier Nicole [mailto:[email protected]] >> Sent: Monday, March 09, 2015 1:44 PM >> To: Watthanachai Kekhua >> Cc: [email protected] >> Subject: Re: BANNED, message contains text/plain,.exe issue. >> >> Golf, >> >>> Since you have banned .exe all message from Lotus note are banned, even >>> when they have no .exe in it? >>> => Yes , correct . Amavisd detect some email from Lotus note as "BANNED" >>> even that email not have ".exe" inside. >>> >>> For this issue it look like false positive for us , due to after enabled >>> block ".exe" , "exe-ms" this configuration we just found this issue >>> happened. >>> ### amavisd.conf for BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is >>> or contains any undecipherable components >>> qr'^\.(exe|exe-ms|dll)$', # banned file(1) types, >>> rudimentary >>> >>> In FreeBSD, Amavis usually put the banned email in /var/virusmail/banned >>> directory. You could have a close look at the messages and confirm if they >>> are good or not. >>> => I've checked this email content before and we found it 's good email and >>> not have .exe attach file inside. >>> >>> So have you any recommendation to solved this kind of issue ? >> >> You need to look at the full variable $banned_filename_re, it has more >> than qr'^\.(exe-ms|dll)$', and goes on several lines, ending with a >> single line with ); >> >> You also need to look at one good message in /var/virusmail/banned and see >> what is the exact contents, why it is banned (example: >> X-Amavis-Alert: BANNED, message contains .exe,.exe-ms,PO.exe), etc. >> >> Maybe Lotus note includes a signature that is banned? >> >> Best regards, >> >> Olivier >> >> >> >>> Please do not hesitate to contact us , If you have any questions . >>> Best Regards. >>> ################################ >>> # Watthanachai KEKHUA (Golf) >>> ################################ >>> >>> DISCLAIMER : >>> This email is for the use of the intended recipient(s) only. >>> If you have received this email in error, please notify the sender >>> immediately and then delete it. >>> If you are not the intended recipient, you must not keep, use, disclose, >>> copy or distribute this email without the author's prior permission. >>> We have taken precautions to minimise the risk of transmitting software >>> viruses, but we advise you to carry out your own virus checks on any >>> attachment to this message. >>> We cannot accept liability for any loss or damage caused by software >>> viruses. >>> The information contained in this communication may be confidential and may >>> be subject to the attorney-client privilege. >>> If you are the intended recipient and you do not wish to receive similar >>> electronic messages from us in future then please respond to the sender to >>> this effect. >>> >>> >>> -----Original Message----- >>> From: Olivier Nicole [mailto:[email protected]] >>> Sent: Monday, March 09, 2015 12:05 PM >>> To: Watthanachai Kekhua >>> Cc: [email protected] >>> Subject: Re: BANNED, message contains text/plain,.exe issue. >>> >>> Hi Golf, >>> >>>> Today we found some strange situation for incoming email when enabled >>>> blocking ".exe" in zip file extension on amavisd.conf as below >>>> configuration. >>>> >>>> ### amavisd.conf for BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is >>>> or contains any undecipherable components >>>> qr'^\.(exe|exe-ms|dll)$', # banned file(1) types, >>>> rudimentary >>>> >>>> Now , We always found banned email from incoming email send from Lotus >>>> note MTA . >>>> And Sender address try to send attach file ".xls" and normal email with >>>> plain text after that our amavisd detect both email as "BANNED" type. >>> >>> I don't understand what you mean. >>> >>> Since you have banned .exe all message from Lotus note are banned, even >>> when they have no .exe in it? >>> >>> In FreeBSD, Amavis usually put the banned email in /var/virusmail/banned >>> directory. You could have a close look at the messages and confirm if they >>> are good or not. >>> >>> If you *need* to discuss in Thai, maybe I can help. >>> >>> Best regards, >>> >>> Olivier >>> >>>> #maillog message show >>>> BANNED, message contains text/plain,.exe >>>> (554 5.7.0 Bounce, id=30228-09-2 - BANNED: text/plain,.exe) #Detail >>>> information application FreeBSD 9 Amd64 bit Postfix + >>>> amavisd-new-2.8.0_2 >>>> >>>> Have you ever found this kind of issue and how to solved problem for this >>>> issue ? >>>> >>>> Please do not hesitate to contact us , If you have any questions . >>>> Best Regards. >>>> ################################ >>>> # Watthanachai KEKHUA (Golf) >>>> # Operation And Maintenance Department (OAM) # Tel: 02-2367227 Ext. >>>> 1624 # NTT Communications (Thailand) Co., Ltd. >>>> ################################# >>>> >>>> DISCLAIMER : >>>> This email is for the use of the intended recipient(s) only. >>>> If you have received this email in error, please notify the sender >>>> immediately and then delete it. >>>> If you are not the intended recipient, you must not keep, use, disclose, >>>> copy or distribute this email without the author's prior permission. >>>> We have taken precautions to minimise the risk of transmitting software >>>> viruses, but we advise you to carry out your own virus checks on any >>>> attachment to this message. >>>> We cannot accept liability for any loss or damage caused by software >>>> viruses. >>>> The information contained in this communication may be confidential and >>>> may be subject to the attorney-client privilege. >>>> If you are the intended recipient and you do not wish to receive similar >>>> electronic messages from us in future then please respond to the sender to >>>> this effect. >>>> >>>> >>>> [2:text/html Show] >>>> --
