Re: [AMaViS-user] amavsid-new not checking rar attachments

James Bourne Mon, 27 Oct 2008 11:36:10 -0700

On Mon, 27 Oct 2008, jonathan wrote:

> (a bit more info) It seems do_unrar isn't being called at all for .rar
> files.  Using standard unrar switches from amavisd, I get the following:


Is there a rar line in your amavisd.conf in the @decoders variable? 
Something like this:

   ['rar',  \&do_unrar,      ['rar','unrar'] ],

Regards
James


>
> # unrar v -c- -p- -idcdp virus.rar
>
> Archive virus.rar
>
> Pathname/Comment
>                   Size   Packed Ratio  Date   Time     Attr      CRC
> Meth Ver
> -------------------------------------------------------------------------------
>  Invoice_86612331.doc.exe
>                  70656    64539  91% 20-10-08 16:20  .....A.   CAAF5477
> m3b 2.9
> -------------------------------------------------------------------------------
>     1            70656    64539  91%
>
>
> I should be seeing do_unrar being called if I send a message with this
> attached (and unrar is found during amavisd startup), but my logs don't
> show any sort of logging from do_unrar (I should see something at
> loglevel 4 from:
>
> ll(4) && do_log(4, "Expanding RAR archive %s", $part->base_name);
>
> Thoughts on what is going on here?  Banned filenames in other archive
> formats are getting caught fine.
>
> This is amavisd-new-2.6.1 (20080629).
>
>
> jonathan wrote:
>> It seems that amavisd isn't properly looking inside of "rar" attachments
>> in our configuration.  The unrar binary is detected on startup as the
>> application to deal with rar archives, but nothing is (seemingly) done
>> with these archives when a message passes through the system.
>>
>> I can successfully unrar stuff using the binary on the command line
>> (unrar e <filename>), and other archive utilities seem to be working
>> well.  Problem seems to occur with numerous versions of amavisd-new
>> (2.3.2, 2.5.2, 2.6.1).
>>
>> Thoughts on what I should be looking at here?  Any help greatly appreciated.
>>
>> Log snippit from message containing test.rar (which contains a (banned)
>> .exe file):
>>
>> Oct 23 13:31:23 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> p002 1/2 Content-Type: application/octet-stream, size: 64622 B, name:
>> test.rar
>> Oct 23 13:31:23 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> reparenting p002 from p000 to p003
>> Oct 23 13:31:23 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> prolong_timer mime_decode: remaining time = 480 s
>> Oct 23 13:31:23 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> prolong_timer mime_decode-1: remaining time = 480 s
>> Oct 23 13:31:23 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> decode_parts: level=1, #parts=3 : p001, p002, p003
>> Oct 23 13:31:23 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> running file(1) on 2 files, arglist size 23
>> Oct 23 13:31:24 iscan1 amavis[22336]: [ID 702911 local1.info] (22296-01)
>> open_on_specific_fd: target fd0 closing, to become < /dev/null
>> Oct 23 13:31:24 iscan1 amavis[22336]: [ID 702911 local1.info] (22296-01)
>> open_on_specific_fd: target fd2 closing, to become > &1
>> Oct 23 13:31:24 iscan1 amavis[22336]: [ID 702911 local1.info] (22296-01)
>> open_on_specific_fd: target fd2 dup2 from fd1 > &1
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> run_command: [22336] /usr/bin/file p001 p002 </dev/null 2>&1
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> result line from file(1): p001:\t\tascii text
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup_re("ascii text") matches key "(?i-xsm:^(ASCII|text)\b)", result="asc"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (map_full_type_to_short_type) => true,  "ascii text" matches,
>> result="asc", matching_key="(?i-xsm:^(ASCII|text)\\b)"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> File-type of p001: ascii text; (asc)
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> result line from file(1): p002:\t\tdata
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup_re("data") matches key "(?-xism:^dataz)", result="dat"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (map_full_type_to_short_type) => true,  "data" matches,
>> result="dat", matching_key="(?-xism:^data\\z)"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> File-type of p002: data; (dat)
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> do_ascii: Decoding part p001
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> do_ascii: Setting sigaction handler, was 0
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> timer set to 320 s (was 480 s)
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> do_ascii: Decoding part p001 (0 items), uulib V0.5pl20
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> prolong_timer do_ascii: timer set to 480 s
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> decompose_part: p001 - atomic
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> decompose_part: p002 - atomic
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> prolong_timer parts_decode: remaining time = 480 s
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> query_keys: [EMAIL PROTECTED], jengbrec@, -----.ca, -----.ca, -----.ca,
>> .ca, .
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup_hash([EMAIL PROTECTED]), no matches
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (bypass_header_checks) => undef, "[EMAIL PROTECTED]" does not match
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> check_header: 0, OK
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> query_keys: [EMAIL PROTECTED], jengbrec@, -----.ca, .-----.ca,
>> .ryerson.ca, .ca, .
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup_hash([EMAIL PROTECTED]), no matches
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (bypass_header_checks) => undef, "[EMAIL PROTECTED]" does not match
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> Checking for banned types and filenames
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup: (scalar) matches, result="DEFAULT"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (banned_filename), 1 matches for "[EMAIL PROTECTED]", results:
>> "(constant:DEFAULT)"=>"DEFAULT"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> collect banned table[0]: [EMAIL PROTECTED], tables:
>> DEFAULT=>Amavis::Lookup::RE=ARRAY(0xd910dc)
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> starting banned checks - traversing message structure tree
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> check_for_banned (p003,p001) multipart/mixed | text/plain,.asc
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> doing banned check for [EMAIL PROTECTED] on multipart/mixed |
>> text/plain,.asc
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup_re(["multipart/mixed","text/plain",".asc"]), no matches
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (check_bann:[EMAIL PROTECTED]) => undef,
>> ["multipart/mixed","text/plain",".asc"] does not match
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> p.path [EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed |
>> P=p001,L=1/1,M=text/plain,T=asc"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> check_for_banned (p003,p002) multipart/mixed |
>> application/octet-stream,.dat,test.rar
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> doing banned check for [EMAIL PROTECTED] on multipart/mixed |
>> application/octet-stream,.dat,test.rar
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup_re(["multipart/mixed","application/octet-stream",".dat","test.rar"]),
>> no matches
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> lookup (check_bann:[EMAIL PROTECTED]) => undef,
>> ["multipart/mixed","application/octet-stream",".dat","test.rar"] does
>> not match
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> p.path [EMAIL PROTECTED]: "P=p003,L=1,M=multipart/mixed |
>> P=p002,L=1/2,M=application/octet-stream,T=dat,N=test.rar"
>> Oct 23 13:31:24 iscan1 amavis[22296]: [ID 702911 local1.info] (22296-01)
>> banned check: any=0, all=N (1)
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> AMaViS-user mailing list
>> AMaViS-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/amavis-user
>>  AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
>>  AMaViS-HowTos:http://www.amavis.org/howto/
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amavis-user
> AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
> AMaViS-HowTos:http://www.amavis.org/howto/
>
>

-- 
James Bourne                  | Email:            [EMAIL PROTECTED]
UNIX Systems Administration   | WWW:           http://www.hardrock.org
Custom UNIX Programming       | Linux:  The choice of a GNU generation
----------------------------------------------------------------------
"All you need's  an occasional kick in  the philosophy." Frank Herbert
Need an inexpensive domain alternative?  http://fastforwarddomains.com

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] amavsid-new not checking rar attachments

Reply via email to