On 17/07/2024 4:48 am, Thomas Barth wrote:
Hello,
today a mail has been banned (false positive). It says message
contains x.com
X-Quarantine-ID: <gUr-nLm4MOSm>
X-Amavis-Alert: BANNED, message contains x.com
I couldnt find x.com in the mail body itself, but the mail had a
zipfile as an attachment. The zip file probably contains invoices.
I grepped for x.com in the config files, but I couldnt find a rule.
grep -nri "x.com" /etc/amavis/
/etc/amavis/conf.d/20-debian_defaults:123:# [
qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
/etc/amavis/conf.d/20-debian_defaults:200:
#'clustern...@linuxnetworx.com' => -3.0,
In the journal:
Jul 16 14:55:07 mx2 amavis[578842]: (578842-12) Blocked BANNED (x.com)
{DiscardedInbound,Quarantined}, [209.85.128.42]:58456
[2a02:2455:17d4:d000:2d23:f49f:1017:f822] <u...@fromexample.com> ->
<u...@toexample.com>, quarantine: q/banned->
Jul 16 14:55:07 mx2 postfix/smtpd[582562]: proxy-accept:
END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=578842-12 - BANNED: x.com;
...
Anyone have any idea what's going wrong here?
Thomas B
Hi Thomas.
I believe the culprit is the following line in
/etc/amavis/conf.d/20-debian_defaults:
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
...which is designed to block filenames that have a ".com" extension.
i.e. You could try removing com from that expression?
Please also be aware of this one:
# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
...which could get a hit on directories that include ".com." in the name
(e.g. if a directory was named "google.com.au").
Nick.
