[AMaViS-user] .asc file part flagged as a match for a banned file type.

2006-11-23 Thread Robert Lewis 
Hello,

A user complained of a message being bounced that shouldn't have been.  He
normally doesn't have any trouble receiving email from the sender.I can not
determine why this happened, or what would be the next step to look at in
order to resolve why it happened.

Any suggestions to point me in determining what caused this to happen would
be appreciated.

The message was a standard email, with an excel .xls attachment.  We do not
block xls attachments.

From my logs:  
Nov 20 13:22:21 mailgateway.forsythshirt.com /usr/sbin/amavisd[6586]:
(06586-09) lookup (check_bann:[EMAIL PROTECTED]) = true,
[multipart/mixed,multipart/alternative,text/plain,.asc,.asc,filli
ng orders towards the end of next week.] matches, result=1,
matching_key=(?i-xsm:.\\.(mpg|avi|oog|ram|mov|qt|mp3|wav|ra|wmv|)$)


Here is my banned file settings:

$banned_filename_re = new_RE(
 qr'^UNDECIPHERABLE$',  # is or contains any undecipherable
components

# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

qr'[{}]',  # curly braces in names (serve as Class ID extensions
- CLSID)

qr'^application/x-msdownload$'i,  # block these MIME
types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME
types
[ qr'^\.(Z|gz|bz2)$'   = 0 ],  # allow any in
Unix-compressed
[ qr'^\.(rpm|cpio|tar)$'   = 0 ],  # allow any in Unix-type
archives
[ qr'^\.(zip|rar|arc|arj|zoo)$'= 0 ],  # allow any within such
archives

qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension -
basic
#
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#
inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#wmf|wsc|wsf|wsh)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension -
WinZip vulnerab.

qr'^\.(exe-ms)$',   # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
qr'.\.(mpg|avi|oog|ram|mov|qt|mp3|wav|ra|wmv|)$'i,
);


Regards,

Rob Lewis





-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] .asc file part flagged as a match for a banned file type.

2006-11-23 Thread Mark Martinec 
Bob,

 Nov 20 13:22:21 mailgateway.forsythshirt.com /usr/sbin/amavisd[6586]:
 (06586-09) lookup (check_bann:[EMAIL PROTECTED]) = true,
 [multipart/mixed,multipart/alternative,text/plain,.asc,.asc,fill
i ng orders towards the end of next week.] matches, result=1,
 matching_key=(?i-xsm:.\\.(mpg|avi|oog|ram|mov|qt|mp3|wav|ra|wmv|)$)

Your regexp matches any filename that ends with a dot,
which this one does.

 qr'.\.(mpg|avi|oog|ram|mov|qt|mp3|wav|ra|wmv|)$'i,

You probably meant:

  qr'.\.(mpg|avi|oog|ram|mov|qt|mp3|wav|ra|wmv)$'i,

  Mark


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/