Banned mails by amavis because of decipherable content

hypernetics · 02-14-2008, 07:35 AM

Hi there,

I'm running Postfix/SA/Amavis on Debian Etch.
When I send an email to my mailserver that contains an encrypted zip-file, the server complains that it cannot decipher the content:

"BANNED CONTENTS ALERT
Our content checker found banned name: multipart/mixed |
application/x-zip-compressed,.zip,ipscan.zip | ipscan.exe,UNDECIPHERABLE
"

I want amavis to block archives that contain executable files but not archives that are encrypted. In /etc/amavis/conf.d/20-debian_defaults I found two entries that are related to this:

1.) $banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components

2.) @keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));

I commented out "qr'^MAIL-UNDECIPHERABLE$'", restarted amavis but this didn't work. I just don't know what parameter I have to set.

Can somebody help me?

Greetings,
hypz

bigrigdriver · 02-14-2008, 09:20 AM

There appear to be several parts of amavisd.conf that are involved in deciding what to do with mail that has encrypted or executable content. Here are the parts, in the order they appear in my amavisd.conf:

Code:

$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 1;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name

SA flags virus and banned mails as SPAM.

Code:

 $final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny = D_PASS;
$final_bad_header_destiny = D_PASS;

What SA will do with mails which have been identified as undesirable.

Code:

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip

and

Code:

[$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'[{}]',      # curly braces in names (serve as Class ID extensions - CLSID)

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

 [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
 [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types

Rules to apply in identifying content as desirable or undesirable. These can be augmented with SA whitelist and blacklist files. See the SpamAssassin Wiki for a thorough set of rules filters and guides to setting up whitelists.

hypernetics · 02-14-2008, 01:35 PM

Thanks for your reply.

But I still don't know, which parameter I have to change to avoid amavis from blocking encrypted mails. Most of the parameters you mentioned relate to what kind of attachments should be blocked and/or how to deal with this.

Code:

@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip

and

Code:

[$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

It seems to me that these lines are the only ones that deal with encrypted mails?!