[AMaViS-user] amavisd-release / mbox quarantine

Robert Felber Thu, 23 Aug 2007 08:53:36 -0700

Hello,

I've (first time) a false positive on outgoing mail 
(signed employee health insurance reports) with following ban-reason:


X-Amavis-Alert: BANNED, message contains part: multipart/mixed |
 application/octet-stream,.asc,EBNA0006 | .exe,UNKNOWN.001


Don't ask me where it gets that .exe information from it doesn't appear
in the mime parts, however, I would like to release that file to the 
health insurance destination without modifying too much.

We are using a mbox quarantine ($QUARANTINEDIR = '/var/spool/virus';)

Is there a way to release this from the mbox? Or should I go for maildir style
in future (which means some rewriting of statistical scripts).


Thanks in advance.


## detailed info:

ban pattern from amavisd.conf
$banned_filename_re = new_RE(
#  qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
   qr'\.[^.]*\.(exe|vbs|pif|scr|bat|cmd|com|dll)$'i, # double extension
#  qr'.\.(exe|vbs|pif|scr|bat|cmd|com)$'i,           # banned extension - basic
   
qr'\.[^.]*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh)$'ix,
                  # banned extension - long
#  qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
#  qr'^\.(zip|lha|tnef|cab)$'i,                      # banned file(1) types
   qr'^\.exe$'i,                                     # banned file(1) types
   qr'^application/x-msdownload$'i,                  # banned MIME types
   qr'^application/x-msdos-program$'i,
#  qr'^message/partial$'i, qr'^message/external-body$'i, # block rfc2046
);



## mime types/filenames of banned e-mail:

Content-Type: Multipart/Mixed; boundary="BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv

--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

EBNA0006.auf,348,20070823:1503
EBNA0006,5958,20070823:1503
Dateinr:=2024

--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
Content-Type: application/octet-stream; name=EBNA0006
Content-Disposition: attachment; filename="EBNA0006"
Content-Transfer-Encoding: BASE64

--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv
Content-Type: application/octet-stream; name=EBNA0006.AUF
Content-Disposition: attachment; filename="EBNA0006.AUF"
Content-Transfer-Encoding: BASE64

--BlatBoundary-zmBuidg8ZdrJ3VdIGIbkv--



-- 
    Robert Felber (PGP: 896CF30B)
    Munich, Germany

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

[AMaViS-user] amavisd-release / mbox quarantine

Reply via email to