Cannot ban lzh attachment

Tue, 30 Nov 2021 04:42:34 -0800 

Hello,
On CentOS 8 / amavis 2.12 we are receiving (a significant number of) incoming mail, each addressed to a large number of people in our org, each with two virus infected attachments: .lzh and .gz extension. 

I have configured:

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
   qr'^\.(exe|lha|cab|dll|lzh)$',
...

yet, we are still receiving such mail.

In the amavis log I see:


Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) smtp connection 
cache, dt: 259.8, state: 0
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) body hash: 
88ea8e72cb4058e6a2b97947e14afcad
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p006 1 Content-Type: 
multipart/mixed
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p007 1/1 
Content-Type: multipart/alternative
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p001 1/1/1 
Content-Type: text/plain, 8bit, size: 384, SHA1 digest: 
9baf5152f284a0216a8fb53537a15db0be5ec67e
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p008 1/1/2 
Content-Type: multipart/related
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p002 1/1/2/1 
Content-Type: text/html, QP, size: 4539, SHA1 digest: 
80c0d1a7b3fe22df855ebb91277c954645db4e82
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) trace: 
LMTP://[127.0.0.1]:53138 < ESMTPS://88.198.141.164 < ESMTP://127.0.0.1 < 
ESMTP://127.0.0.1 < ESMTPA://127.0.0.1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) client IP address 
unknown, fetched from Received: 127.0.0.1
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p003 1/1/2/2 
Content-Type: image/png, base64, size: 9250, SHA1 digest: 
c96ee5bd4ec1efdf15b4cd521ebba8ea306de911, name: image002.png
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) Checking: 
XnNQQpoKwM6B [127.0.0.1] <[email protected]> -> 
<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>

,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<xxxxxxx@no
a.gr>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<x
[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>

Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) 2822.From: 
<[email protected]>
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p004 1/2 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.

gz

Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) p005 1/3 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.

lzh

Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p006 1 Content-Type: 
multipart/mixed
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p007 1/1 
Content-Type: multipart/alternative
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p001 1/1/1 
Content-Type: text/plain, 8bit, size: 384, SHA1 digest: 
9baf5152f284a0216a8fb53537a15db0be5ec67e
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p008 1/1/2 
Content-Type: multipart/related
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p002 1/1/2/1 
Content-Type: text/html, QP, size: 4539, SHA1 digest: 
80c0d1a7b3fe22df855ebb91277c954645db4e82
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p003 1/1/2/2 
Content-Type: image/png, base64, size: 9250, SHA1 digest: 
c96ee5bd4ec1efdf15b4cd521ebba8ea306de911, name: image002.png
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p004 1/2 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.

gz

Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) p005 1/3 
Content-Type: application/x-rar, base64, size: 279014, SHA1 digest: 
33ef47204c4cfbcd959b410db9d1de3da815c86f, name: proforma Τιμολόγιο Αρ. M 
67EE0077.

lzh

Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) (!)Decoding of p004 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) (!)Decoding of p004 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) (!)Decoding of p005 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679693]: (679693-19) (!)Decoding of p005 
(RAR archive data, v5) failed, leaving it unpacked: do_7zip: can't get a 
list of archive members: exit 2; Errors: 1
Nov 30 09:24:07 mailgw1 amavis[679875]: (679875-08) Checking for banned 
types and filenames


...

My questions:


1. Since I have configured .lzh as "BLOCKED ANYWHERE", shouldn't such an 
email be banned, as it contains a file attachment with .lzh extension? 
Why the mail is not getting dropped?



2. Even if the mail (with the banned attachment) is not getting dropped 
(for some unknown reason), why amavis does not seem able to scan it 
("Decoding... failed", see above).


Any replies / suggestions please?

I appreciate your help.

Thanks in advance,
Nick
























					Reply via email to