1

Topic: Amavis block gif images?

Every once in a while my amavis sends me a message about banned content. I don't pay too much attention to those as long as nobody complains, but this morning there were half a dozen in a row that caught my attention. It had the following subject:

BANNED contents (multipart/mixed | image/gif,.image,.gif,part1.06070600.01090301@mydomain.com) in mail FROM LOCAL [<ip address masked>] <source mail address>

Why is it banning gif files??? I can not find anything related to gif, images or anything else useful. The one spot I can think of responsible for banning certain files is the $banned_filename_re setting in /etc/amavis/conf.d/20-debian_defaults, which looks lie this:

$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name
  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict

  qr'^application/x-msdownload$'i,                  # block these MIME types
  qr'^application/x-msdos-program$'i,
  qr'^application/hta$'i,

# qr'^application/x-msmetafile$'i,      # Windows Metafile MIME type
# qr'^\.wmf$',                          # Windows Metafile file(1) type

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic (default)
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
#        swf|ws|wsc|wsf|wsh|
#        avi|mp3|mpa|wma|wmv|vob|mov|mpg|mp4)$'ix,  # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

#  qr'^\.(exe-ms)$',                       # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
);

Anywhere else I should look? I do want some kind of filtering, but banning gif files is a little over top I think, especially when I'm telling it to afaik...

Thanks,
Peter

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Amavis block gif images?

Calbiban wrote:

BANNED contents ...

Hi Peter, is this full content of this notification email? If not, please paste full mail content. Of course you can replace sensitive infomation before posting.

iRedMail didn't set to ban GIF images by default, this is weird.

3

Re: Amavis block gif images?

Thanks for your response, Zang. I was thinking the same thing. It doesn't make sense, especially since it started yesterday without me making any changes. And for the record, I've received about a dozen more of them since. They all come from the same source (a pretty high volume mailing list). Here's the full contents:

No viruses were found.

Banned name: multipart/mixed |
  image/gif,.image,.gif,part1.03020803.05050501@mydomain.com
Content type: Banned
Internal reference code for the message is 30298-18/Fe80t5ePS7Gx

First upstream SMTP client IP address: [<source ip>] mail.sourcedomain.com
According to a 'Received:' trace, the message originated at:
  [<source ip>], localhost.localdomain unknown [127.0.0.1]

Return-Path: <source@sourcedomain.com>
From: source@sourcedomain.com
Sender: source@sourcedomain.com
Message-ID: <13164658335.581646>
Subject: ...
The message has been quarantined as: /var/lib/amavis/virusmails

The message WAS NOT relayed to:
<user@mydomian.com>:
   250 2.7.0 Ok, discarded, id=30298-18 - BANNED: multipart/mixed | image/gif,.image,.gif,part1.03020803.05050501@mydomain.com


header

Return-Path: <source@sourcedomain.com>
X-Original-Helo: 235324.sourcedomain.net
Received: from 235324.sourcedomain.net (mail.sourcedomain.com [<source ip>])
    by mail.mydomain.com (Postfix) with ESMTP id DB2AA25458D
    for <user@mydomain.com>; Mon, 19 Sep 2011 15:57:13 -0500 (CDT)
Received: from localhost.localdomain (unknown [127.0.0.1])
    by 235324.sourcedomain.net (Postfix) with ESMTP id 76EEB40CB89D
    for <user@mydomain.com>; Mon, 19 Sep 2011 16:57:13 -0400 (EDT)
MIME-Version: 1.0
Content-Transfer-Encoding: binary
Content-Type: multipart/mixed; boundary="_----------=_13164658337320692"
X-Mailer: MIME::Lite 3.027 (F2.74; T1.28; A2.04; B3.07; Q3.07)
Date: Mon, 19 Sep 2011 16:57:13 -0400
To: <user@mydomain.com>
From: source@sourcedomain.com
Subject: ...
Reply-To: <user@mydomain.com>
Sender: source@sourcedomain.com
Comments: Cust: 5 Msg: 581646
Message-Id: 13164658335.581646

Thanks for looking into this!

4

Re: Amavis block gif images?

No idea at all, sorry sad
I suggest to post this issue to Amavisd-new mailing list:
http://www.ijs.si/software/amavisd/#support