I can't figure this out to save my life. Is there something wrong with the regex? If external is set to level 2 and block, how would mails like this get pushed through? It's not just .reg files, it's anything that I've tested including .bat.
Thanks On Thu, Feb 12, 2015 at 9:58 PM, K Post <nntp.p...@gmail.com> wrote: > 15025 running on a windows box in my lab. > > I just tried sending an email from gmail with a .reg file attached to it. > Also tried with a .bat file. > The emails arrive even though I have reg and bat files blocked. The > gmail account is whitelisted, but I've tried with non-whitelisted accounts > too. > > I have ClamAV running and use the AFC-Plugin. If I disable one or both of > these, the email still arrives. > > I have v1.925 of Email::Mime installed. I haven't tried downgrading. > > DoBlockExes is set to block > BlockExes (external senders) is set to Level 2 > BlockWLExes (wl senders) is set to Level 1 > BlockNPExes (no processing) is set to Level 2 > > > For BadAttachLevel1 I have: > > ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|ms[cipt]|nch|pcd|pif|prf|ps1|reg|sc[frt]|scr|sh[bs]|vb|vb[es]|wms|ws[cfh] > (note that reg is listed there) > > For BadAttachLevel2 I have: > zip > > I would expect to see that a level 1 exe was detected and that it was > blocked. Instead it comes through and the log shows that a level 2 file > was found. > > Log snippit > > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org [scoring] DKIM signature verified-OK - > header-passed - sender policy is: neutral - author policy is: neutral > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org Message-Score: added -5 (dkimOkValencePB) for > DKIM pass, total score for this message is now -6 > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org Message-Score: added -5 (spfpValencePB) for > SPF pass, total score for this message is now -11 > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org info: SenderBase - query using SenderBase > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org SenderBase -- used Senderbase -- country:US > orgname:GOOGLE domain:google.com > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org HMM is not available - hmmdb is empty > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org Bayesian Check [scoring] - Prob: 0.00001 => ham > Feb-12-15 21:39:32 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org [Plugin]* calling plugin ASSP_AFC* > Feb-12-15 21:39:33 msg95171-02457 209.85.220.42 <test-acco...@gmail.com> > to: test...@ourcharity.org info: 1 attachment found for *Level-2* > Feb-12-15 21:39:33 msg95171-02457 [*MessageOK*] 209.85.220.42 < > test-acco...@gmail.com> to: test...@ourcharity.org message ok [testing > reg] -> messages/okmail/testing_reg--3448748.txt > > Could my regex be wrong somehow? Why would it find a Level 2 attachment, > when it only matches level 1? Why wouldn't it have been blocked? > > Thanks > ken > > > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
