Debian Bug report logs - #717096
amavisd-new: .docx often incorrectly detected as BANNED: .exe, .exe-ms, [trash]/0000.dat

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Matija Nalis <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: amavisd-new: .docx often incorrectly detected as BANNED: .exe, .exe-ms, [trash]/0000.dat

Date: Tue, 16 Jul 2013 20:09:00 +0200

Package: amavisd-new
Version: 1:2.6.4-3
Severity: normal


.docx documents (ZIP files) are often incorrectly tagged and blocked with:

Reject, id=29112-10-2 - BANNED: .exe,.exe-ms,[trash]/0000.dat (in reply to end of DATA command)

unzipping .docx reveals that file(1) reports this as:

[trash]/0000.dat: DOS executable (device driver)

However looking at magic(5) source, it seems it is very simple check prone
for false positives. While I'm working around bug at our mail server by
removing non-ideal "device driver" definition, I think it would be better if
amavis would not block those as it has quite a few false positives in the
wild, and there is pretty low infection chance even if it was infected
device driver (you'd have to have old DOS/Windows system and manually edit
config.sys device= lines to become infected after reboot!)

And even if there are infected device drivers in the wild those years (which
I seriously doubt), they would be caught by antivirus (clamav or such).

So I think exception should be made in amavisd-new to not detect 
"DOS executable (device driver)" attachment as something that should ban
e-mails.

[ Alternatively, this may be reassigned as file(1) bug, but that would
probably be overkill.  ]

-- System Information:
Debian Release: 6.0.7
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages amavisd-new depends on:
ii  adduser                3.112+nmu2        add and remove users and groups
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  file                   5.04-5+squeeze2   Determines file type using "magic"
ii  libarchive-zip-perl    1.30-3            Perl module for manipulation of ZI
ii  libberkeleydb-perl     0.42-1~squeeze1   use Berkeley DB 4 databases from P
ii  libcompress-raw-zlib-p 2.026-1           low-level interface to zlib compre
ii  libconvert-tnef-perl   0.17-9            Perl module to read TNEF files
ii  libconvert-uulib-perl  1.12-1            Perl interface to the uulib librar
pn  libdigest-md5-perl     <none>            (no description available)
ii  libio-stringy-perl     2.110-4           Perl modules for IO from scalars a
ii  libmail-dkim-perl      0.38-1            cryptographically identify the sen
ii  libmailtools-perl      2.06-1            Manipulate email in perl programs
pn  libmime-base64-perl    <none>            (no description available)
ii  libmime-tools-perl     5.428-1           Perl5 modules for MIME-compliant m
ii  libnet-server-perl     0.97-1            An extensible, general perl server
ii  libunix-syslog-perl    1.1-2             Perl interface to the UNIX syslog(
ii  pax                    1:20090728-1      Portable Archive Interchange
ii  perl [libtime-hires-pe 5.10.1-17squeeze6 Larry Wall's Practical Extraction 
ii  perl-modules [libarchi 5.10.1-17squeeze6 Core Perl modules

amavisd-new recommends no packages.

Versions of packages amavisd-new suggests:
ii  apt-listchanges   2.85.7+squeeze1        package change history notificatio
ii  arj               3.10.22-9              archiver for .arj files
ii  cabextract        1.3-1                  a program to extract Microsoft Cab
ii  clamav            0.97.6+dfsg-1~squeeze1 anti-virus utility for Unix - comm
ii  clamav-daemon     0.97.6+dfsg-1~squeeze1 anti-virus utility for Unix - scan
ii  cpio              2.11-4                 GNU cpio -- a program to manage ar
pn  dspam             <none>                 (no description available)
pn  lha               <none>                 (no description available)
ii  libauthen-sasl-pe 2.1500-1               Authen::SASL - SASL Authentication
ii  libdbi-perl       1.612-1                Perl Database Interface (DBI)
ii  libmail-dkim-perl 0.38-1                 cryptographically identify the sen
ii  libnet-ldap-perl  1:0.4001-2             client interface to LDAP servers
pn  libsnmp-perl      <none>                 (no description available)
ii  lzop              1.02~rc1-2             fast compression program
ii  nomarch           1.4-3                  Unpacks .ARC and .ARK MS-DOS archi
ii  p7zip             9.04~dfsg.1-1          7zr file archiver with high compre
pn  rpm               <none>                 (no description available)
ii  spamassassin      3.3.1-1                Perl-based spam filter using text 
pn  unrar             <none>                 (no description available)
ii  unrar-free        1:0.0.1+cvs20071127-1  Unarchiver for .rar files
ii  zoo               2.10-22                manipulate zoo archives

-- Configuration Files:
/etc/amavis/conf.d/05-domain_id changed [not included]
/etc/amavis/conf.d/15-content_filter_mode changed [not included]
/etc/amavis/conf.d/20-debian_defaults changed [not included]
/etc/amavis/conf.d/50-user changed [not included]
/etc/cron.d/amavisd-new changed [not included]

-- debconf information:
  amavisd-new/outdated_config_style_warning:

Message #10 received at [email protected] (full text, mbox, reply):

From: [email protected]

To: [email protected]

Subject: not amavis' fault, but file magic

Date: Tue, 20 Jun 2017 12:16:36 +0200

Hi, I've run into this lately, too.
It appears that amavis uses the local installation of "file"'s magic
configuration for identifying file-content.

With an old "file magic" it says "Zip archive" for newer word docs,
and in turn probably extracts the contents to check each file
individually, and eventually stumbles over trash/0000.dat, which
triggers as DOS-executable.

With a new / updated "file magic" it correctly reports word-doc, and
probably isn't touched any further.
-- 
Rado, enjoy

Message #15 received at [email protected] (full text, mbox, reply):

From: Henrique de Moraes Holschuh <[email protected]>

To: [email protected], [email protected]

Subject: Re: Bug#717096: not amavis' fault, but file magic

Date: Tue, 20 Jun 2017 13:23:16 -0300

On Tue, 20 Jun 2017, [email protected] wrote:
> Hi, I've run into this lately, too.
> It appears that amavis uses the local installation of "file"'s magic
> configuration for identifying file-content.
> 
> With an old "file magic" it says "Zip archive" for newer word docs,
> and in turn probably extracts the contents to check each file
> individually, and eventually stumbles over trash/0000.dat, which
> triggers as DOS-executable.
> 
> With a new / updated "file magic" it correctly reports word-doc, and
> probably isn't touched any further.

Do you guys have any idea of which version of "file" magic causes
trouble?

-- 
  Henrique Holschuh

Message #20 received at [email protected] (full text, mbox, reply):

From: Rado S <[email protected]>

To: Henrique de Moraes Holschuh <[email protected]>

Cc: [email protected]

Subject: Re: Bug#717096: not amavis' fault, but file magic

Date: Thu, 22 Jun 2017 11:26:56 +0200

=- Henrique de Moraes Holschuh wrote on Tue 20.Jun'17 at 13:23:16 -0300 -=

> Do you guys have any idea of which version of "file" magic causes
> trouble?

I don't know when it starts to break, but this one fails:

	magic binary file for file(1) cmd (version 7) (little endian)

Send a report that this bug log contains spam.