amavis-user March 2012 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: Re: Problem with @banned_files_lovers_maps.

Re: Problem with @banned_files_lovers_maps...

From: Klaus Tachtler <klaus_at_nospam>
Date: Wed Mar 21 2012 - 08:02:22 GMT
To: amavis-users@amavis.org

Hallo Mark,

thank you for your information, but we do not use alterMIME or any
similar programm to change something. From our yesterdays Test, this
is the message source of the e-Mail, please can you see something,
where the problem can occur?

---- message source start ----

Return-Path: <michael@nausch.org>
X-Original-To: specialuser@ourdomain.tld
Delivered-To: specialuser@ourdomain.tld
Received: from mx11.ourdomain.tld (mx11.ourdomain.tld [172.25.10.169]) by
         relay.ourdomain.tld (Postfix) with ESMTP id DF5A01F708D for
         <specialuser@ourdomain.tld>; Tue, 20 Mar 2012 14:55:52 +0100 (CET)
Received: from viruswallvz.ourdomain.tld (amavisvz.ourdomain.tld
         [172.25.10.167]) by mx11.ourdomain.tld (Postfix) with ESMTP
id CC4B83FC87 for
         <specialuser@ourdomain.tld>; Tue, 20 Mar 2012 14:55:52 +0100 (CET)
X-Amavis-Modified: Mail body modified (defanged) - viruswallvz.ourdomain.tld
X-Virus-Scanned: amavisd-new at ourdomain.tld
X-Amavis-Alert: BANNED, message contains audio/mpeg,.dat,01 Test.mp3
Received: from mx11.ourdomain.tld ([172.25.10.169]) by
viruswallvz.ourdomain.tld
         (viruswallvz.ourdomain.tld [172.25.10.167]) (amavisd-new,
port 10024) with
         ESMTP id 3GTahVLQfNnf for <specialuser@ourdomain.tld>; Tue,
20 Mar 2012 14:51:03 +0100
         (CET)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
         NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1; rate: -7.6
Received: from mx1.nausch.org (mx1.nausch.org [88.217.187.21]) (using TLSv1
         with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
         requested) by mx11.ourdomain.tld (Postfix) with ESMTPS for
<sspecialuser@ourdomain.tld>; Tue,
         20 Mar 2012 14:51:01 +0100 (CET)
Received: from viruswall.dmz.nausch.org (localhost.localdomain [127.0.0.1])
         by mx1.nausch.org (Postfix) with ESMTP id 66F0811587D0 for
<specialuser@ourdomain.tld>;
         Tue, 20 Mar 2012 14:50:58 +0100 (CET)
X-Virus-Scanned: amavisd-new at nausch.org
Received: from mx1.nausch.org ([127.0.0.1]) by viruswall.dmz.nausch.org
         (amavis.nausch.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id
         M4assf7QFjqb for <specialuser@ourdomain.tld>; Tue, 20 Mar
2012 14:48:03 +0100 (CET)
Received: from [192.168.2.186] (ppp-93-104-67-124.dynamic.mnet-online.de
         [93.104.67.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
         bits)) (No client certificate requested) by mx1.nausch.org
(Postfix) with
         ESMTP for <specialuser@ourdomain.tld>; Tue, 20 Mar 2012
14:48:03 +0100 (CET)
Message-ID: <4F688A91.9050607@nausch.org>
Date: Tue, 20 Mar 2012 14:48:01 +0100
From: Michael Nausch <michael@nausch.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20120216
         Thunderbird/10.0.2
MIME-Version: 1.0
To: specialuser@ourdomain.tld
Subject: test
Content-Type: multipart/mixed; boundary="------------010607060102020703080209"
X-Evolution-Source: imap://specialuser%40ourdomain.tld@ourdomain.tld/

This is a multi-part message in MIME format.
--------------010607060102020703080209
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

test

--------------010607060102020703080209

--------------010607060102020703080209--

---- message source end ----

Thank you, for your help!

> Klaus,
>
>> so, we wonder a little bit, because when we set
>>
>> $bypass_decode_parts = 1;
>>
>> the we can GET the e-mail WITH attachment. If we doesn't set
>> $bypass_decode_parts, the we GET the e-mail WITHOUT the attachment.
>>
>> The $bypass_decode_parts = 1; in conjunction with set
>> @banned_files_lovers_maps = (
>> { 'specialuser@ourdomain.tld' => 1,
>> } );
>>
>> We tried this e few minutes ago, and we only have postfix in
>> conjunction with amavis (controlling spamassassin and clamav),
>> and the mp3 (for example) we send, had no virus inside...
>
> This is most unusual. As Mihael said, amavisd does not
> modify mail body. The only exception to that is if you have
> defanging enabled. In this case amavisd can call external
> programs like altermime or Anomy::Sanitizer or use a very
> simple built-in sanitizer. The altermime or Anomy::Sanitizer
> are capable of stripping attachments, but the built-in
> sanitizer cannot, it can only wrap the original mail body in an
> extra level of MIME structure (pushes it to an attachment).
>
> If you do not have defanging through altermime or Anomy::Sanitizer
> enabled, then I don't see how you could get the results you see.
> Perhaps some further mail processing at delivery time or in a MUA
> is used. Or maybe the attachent is still there but perhaps a MIME
> structure got botched somehow. Checking the log at level 5 may
> provide some answers.
>
> Mark
>

Klaus.

-- ------------------------------------------------ e-Mail : klaus@tachtler.net Homepage: http://www.tachtler.net DokuWiki: http://www.dokuwiki.tachtler.net ------------------------------------------------