Can't Block .js files inside of .zip Email Attachments
Kirchner, Patrick
Hello,
I'm having trouble getting Amavisd-New to scan for and discard .js files inside of zipped email attachments. Everything is working for blocking .exe files in .zip files but not .js files in .zip email attachments.
I’ve added this in the "### BLOCKED ANYWHERE" section of /etc/amavisd.conf, but zipped .js file attachments are still making their way through:
qr'^\.(exe|js|lha|cab|dll)$',
I also tried adding both of these to the "### BLOCKED ANYWHERE" section and restarting the service but they didn’t help:
qr'^application/x-javascript$'i,
qr'^text/javascript$'i,
An infected .js file in a .zip file that made its way through the email server was luckily blocked by antivirus on my wife’s Mac, so I’d really like to be able to block such files. I can provide an sample of one of the .js files if it would be helpful.
Thanks,
Patrick.
Kirchner, Patrick
While watching my log files in real time just this morning (with multitail), I saw it actually catch a zipped .js file and quarantine it. I guess my setup is actually working after a. I'm just not sure why it wasn't catching the zipped .js files I was using when trying to test it.
Here's what the successful catch and quarantine looked like in my log files:
May 10 10:58:34 MyDomain postfix/smtpd[13926]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 10 10:58:34 MyDomain amavis[22701]: (22701-05) Blocked BANNED (.txt,00000306822303.js) {DiscardedInbound,Quarantined}, [1.39.38.104]:25610 [1.39.38.104] <purc...@kalyanimotors.com> ->
<us...@MyDomain.com>, quarantine: banned-wxHJRbncZSpE, Queue-ID: 1327823BA4F6, Message-ID: <CAPXewJUV4+S3goOpP7HyrTPM7k6s0DAjWSCCdu=XopjG...@mail.gmail.com>, mail_id: wxHJRbncZSpE, Hits: -, size: 8712, 1418 ms
May 10 10:58:34 MyDomain postfix/lmtp[13919]: 1327823BA4F6: to=<us...@MyDomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=1.6/0.01/0.13/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=22701-05 - BANNED: .txt,00000306822303.js)
May 10 10:58:34 MyDomain postfix/qmgr[3980]: 1327823BA4F6: removed
Thanks,
Patrick.
-----Original Message-----
From: Maurizio Marini [mailto:mau...@datalogica.com]
Sent: Tuesday, May 10, 2016 1:04 PM
To: Kirchner, Patrick <Kirch...@lakeland.edu>
Cc: amavis...@amavis.org
Subject: Re: Can't Block .js files inside of .zip Email Attachments
On Fri, 6 May 2016 15:24:10 +0000
"Kirchner, Patrick" <Kirch...@lakeland.edu> wrote:
> An infected .js file in a .zip file that made its way through the email
> server was luckily blocked by antivirus on my wife's Mac, so I'd really like
> to be able to block such files. I can provide an sample of one of the .js
> files if it would be helpful.
I had the same issue, you have to raise log level, then you can check if zip
file is unzipped; js are blocked, but ziped files should be opened
I solved by installing p7zip
this is not enough, you should configure amavis to use it whan you receive zip
attachments
I used this
unshift(@decoders,
['zip', \&Amavis::Unpackers::do_7zip, ['7z','7za'] ],
);
I am not an expert at all, I am very lame and I can't say this is the
proper solution, what I note was that after this configuration zipped
attachments were correctly opened
-m
Mickaël Maillot
Kirchner, Patrick
Thanks Mickaël. If a .zip file is corrupt though, would it also be un-zip-able? And would therefore not pose a threat?
Could you share the unzip/Unpackers line with us that you use in your amavisd.conf file please?
Thanks,
Patrick.
From: Mickaël Maillot [mailto:mickael...@gmail.com]
Sent: Friday, May 13, 2016 5:17 AM
To: Maurizio Marini <mau...@datalogica.com>
Cc: Kirchner, Patrick <Kirch...@lakeland.edu>; amavis...@amavis.org
Subject: Re: Can't Block .js files inside of .zip Email Attachments
I just want to warn you because 7zip cannot decode corruption zip and will not even list files in it.