I have my Postfix email server set to reject .exe files as listed below in 'mime_header_checks'
mail:/etc/postfix# cat /etc/postfix/mime_header_checks /filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/ REJECT For security reasons we reject attachments of this type /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))"?\s*$/ REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3" I can see the following in my logs: >Oct 14 10:27:35 mail amavis[29316]: (29316-02) ESMTP::10024 >/var/lib/amavis/tmp/amavis-20081014T102727-29316: <[EMAIL PROTECTED]> -> ><[EMAIL PROTECTED]> SIZE=5611067 Received: >from mail.example.com >([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port >10024) with ESMTP for <[EMAIL PROTECTED]>; Tue, 14 Oct 2008 10:27:35 -0400 >(EDT) >Oct 14 10:27:37 mail amavis[29316]: (29316-02) p.path BANNED:1 [EMAIL >PROTECTED]: "P=p003,L=1,M=multipart/mixed | >P=p002,L=1/2,M=application/zip,T=zip,N=R46202.EXE.zip | >P=p004,L=1/2/1,T=exe,T=exe-ms,N=R46202.EXE", >matching_key="(?i-xsm:.\\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$)" >Oct 14 10:27:40 mail amavis[29316]: (29316-02) local delivery: <[EMAIL >PROTECTED]> -> <banned-quarantine>, >mbx=/var/lib/amavis/virusmails/banned-hGYdZ1Z2LT6e Basically it appears to scan the "zip" file I send via email and located the 'R46202.EXE' embedded into the zip file however it still transmits the message rather than rejecting it. I do get the following email relayed to myself as the mail administrator: No viruses were found. Banned name: multipart/mixed | application/zip,.zip,R46202.EXE.zip | .exe,.exe-ms,R46202.EXE Content type: Banned (8,0) Internal reference code for the message is 29316-02/hGYdZ1Z2LT6e First upstream SMTP client IP address: [10.1.1.204] tunafish.example.com According to a 'Received:' trace, the message originated at: [10.1.1.204], [10.1.1.204] (tunafish.example.com [10.1.1.204]) Return-Path: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Subject: Zip The message has been quarantined as: banned-hGYdZ1Z2LT6e The message WILL BE relayed to: <[EMAIL PROTECTED]> My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
