On Tuesday, 8. March 2016 16:36:11 @lbutlr wrote: > >> There is no way that every one of these javascript-containing > >> messages has a pgp signature. > > > > It's probably an evil javascript simply trying to mask as a pgp sig. > > No. *EVERY* message that hits BANNED has the same pattern, > > .asc,<something>.js > > 100%. No exceptions. > > Considering I can count on one hand with not all the fingers the number of > spam messages I’ve ever seen with faked PGP sig, this is something else.
we had the same problem: Some local users are allowed to send/receive PGP encrypted emails. Therefore we had .asc whitelisted for them which overrides our banned attachment rules (including .js). The problem with that javascript-virus.js file is that the file(1) utility detects it as ASCII text which amavisd-new internally translates to .asc. (see $map_full_type_to_short_type_re in amavisd) -> So while .js is blocked, the .asc part overrides it. Increase the $log_level of amavisd-new and then you can see it in the verbose log messages. I was surprised to find a .js file in my INBOX this morning, too :) HTH, Thomas