Hi, Running amavisd-new version 2.6.2
RIM routinely sends mails to Blackberry users containing a file named ETP.DAT. This file must not be banned, so I added an exception to $banned_filename_re: ======================================================================== $banned_filename_re = new_RE( ### BLOCKED ANYWHERE # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components [ qr'^etp\.dat$'i => 0 ], # allow RIM Blackberry messages qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary qr'^\.(exe|cab|dll)$', # banned file(1) types ... ======================================================================== This works better now most of the time, but sometimes one of these mails get banned nonetheless. Here is a logfile excerpt: ======================================================================== ESMTP::10024 /var/spool/amavis/tmp/amavis-20110124T095256-24911: <netw...@etp4-16.etp.eu.blackberry.net> -> <$recipient@$mydomain> SIZE=2813 Received: from $myhostname.$mydomain ([127.0.0.1]) by localhost.$mydomain ($myhostname.$mydomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <$recipient@$mydomain>; Mon, 24 Jan 2011 10:15:21 +0100 (CET) smtp connection cache, dt: 109.3, state: 0 Checking: tU3YP5lYZWmw [93.186.25.128] <netw...@etp4-16.etp.eu.blackberry.net> -> <$recipient@$mydomain> p003 1 Content-Type: multipart/mixed p001 1/1 Content-Type: text/plain, size: 931 B, name: p002 1/2 Content-Type: application/octet-stream, size: 528 B, name: ETP.DAT p.path BANNED:1 $recipient@$mydomain: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc | P=p004,L=1/1/1,T=exe,N=UNKNOWN.001", matching_key="(?-xism:^\\.(exe|cab|dll)$)" Blocked BANNED (.exe,UNKNOWN.001), [93.186.25.128] [93.186.25.128] <netw...@etp4-16.etp.eu.blackberry.net> -> <$recipient@$mydomain>, quarantine: banned-quarantaene@$mydomain, Message-ID: <20110124091520.b30a16ad...@smtp.eu.blackberry.net>, mail_id: tU3YP5lYZWmw, Hits: -6.498, size: 2812, 1038 ms ======================================================================== It looks like amavis did not ban the ETP.DAT itself (p002) but something else instead. The mail looks like this (shortened a bit): ======================================================================== Content-Type: MULTIPART/mixed; BOUNDARY="2430790815-26444-1295860520=:2752" --2430790815-26444-1295860520=:2752 Content-Type: TEXT/plain; CHARSET=US-ASCII This message is used to carry data between the BlackBerry handheld and an associated server. Please do not delete, move or respond to this message - it will be processed by the server. BEGINETP 528 AXoAKSoAAAAAIBAIMjVlNGNmMzggHmluZ29sZi5ub2Fja0BiYW5raGF1cy1sYW1wZS5kZQCE [...] CQEDBQQACQgBIA8DBQUJCAYABAEIBQEIAAAfC1ZvZGFmb25lLmRlLQEB ENDETP 1152102722 --2430790815-26444-1295860520=:2752 Content-Type: APPLICATION/octet-stream; name=ETP.DAT Content-Disposition: attachment; filename=ETP.DAT Content-Description: ETP.DAT Content-Transfer-Encoding: base64 AXoAKSoAAAAAIBAIMjVlNGNmMzggHmluZ29sZi5ub2Fja0BiYW5raGF1cy1sYW1wZS5kZQCEe0DB [...] C1ZvZGFmb25lLmRlLQEB --2430790815-26444-1295860520=:2752-- ======================================================================== The first part (Content-Type: TEXT/plain) contains a base64-encoded file without a name (UNKNOWN.001) which seems to be the problem: file(1) considers this: UNKNOWN.001: amd 29k coff noprebar executable The part with "executable" seems to trigger the problem. Has anyone an idea how I can convince amavis to let these pass? I'm reluctant to allow the filename UNKNOWN.001 in general, this would probably permit any file without a name. Perhaps a combination of sender "*.blackberry.net" and file name "UNKNOWN.001". Regards, Robert ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org
