Debian Bug report logs - #855696
amavisd-new: Filter javascript from base64 encoded html

version graph

Package: amavisd-new; Maintainer for amavisd-new is Brian May <[email protected]>; Source for amavisd-new is src:amavisd-new (PTS, buildd, popcon).

Reported by: herrmann <[email protected]>

Date: Tue, 21 Feb 2017 11:27:02 UTC

Severity: wishlist

Tags: upstream

Found in version amavisd-new/1:2.10.1-2~deb8u1

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#855696: amavisd-new: Filter javascript from base64 encoded html
Reply-To: Brian May <[email protected]>, [email protected]
Resent-From: Brian May <[email protected]>
Original-Sender: Brian May <[email protected]>
Resent-To: [email protected]
X-Loop: [email protected]
Resent-Date: Thu, 23 Feb 2017 06:06:01 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 855696
X-Debian-PR-Package: amavisd-new
X-Debian-PR-Keywords: upstream
X-Debian-PR-Source: amavisd-new
Received: via spool by [email protected] id=B855696.14878297382179
          (code B ref 855696); Thu, 23 Feb 2017 06:06:01 +0000
Received: (at 855696) by bugs.debian.org; 23 Feb 2017 06:02:18 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.0-bugs.debian.org_2005_01_02
	(2014-02-07) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.5 required=4.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,FROMDEVELOPER,HAS_BUG_NUMBER,HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_NONE,SPF_PASS,URIBL_CNKR autolearn=ham autolearn_force=no
	version=3.4.0-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 41; hammy, 150; neutral, 100; spammy,
	0. spammytokens: hammytokens:0.000-+--H*o:Debian,
	0.000-+--HX-Google-DKIM-Signature:in-reply-to,
	0.000-+--HX-Google-DKIM-Signature:references, 0.000-+--U*bam,
	0.000-+--H*F:U*bam
Received: from mail-pg0-x231.google.com ([2607:f8b0:400e:c05::231])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1cgmTq-0000YY-3L
	for [email protected]; Thu, 23 Feb 2017 06:02:18 +0000
Received: by mail-pg0-x231.google.com with SMTP id s67so11140575pgb.3
        for <[email protected]>; Wed, 22 Feb 2017 22:02:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=microcomaustralia.com.au; s=google;
        h=sender:from:to:subject:in-reply-to:organization:references:date
         :message-id:mime-version;
        bh=feb2J5JGKgIBu4WLySbMo8P4A3OZ408NLdhVfv6xJGc=;
        b=DeF8TBeCEPhlTWaLDTer8itVXzTXLCIsCN/0Y8o3knbYYWEUXtN7K2dF5fcZnlR1u7
         ts/IKEl716nWJdb1m9SQTj9BQj+vz5PAIeys45K0R1FI055+8Wa+IgaIPeOMEWenrKCU
         05rO6jZM2v/uCwxqRMhbaFNGCnpMeut2NNrdM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:subject:in-reply-to:organization
         :references:date:message-id:mime-version;
        bh=feb2J5JGKgIBu4WLySbMo8P4A3OZ408NLdhVfv6xJGc=;
        b=F9LSqlQOVEAcBIX8qPG1kjbx337x978Sx9mgLU9BN4jLbftzRvePDw9TJdDZfxFsrN
         t3F/gOqwrWusOy9o4x3jL6KFycWGk9W1nyzJTqMysg6kOOevrw+1cqfuFCP9evGsBKIU
         vMWGp6t4elP7M/pKOakWjS/hgP1wW8/3uV1eD/zouHg6ekeWUPC6MPu+KQtmufM4HrlL
         iVvpzCGa4L16BvJNkW4o/1Cb28wOoKtUUGg6NVBXlT27cVpIm97EoWcH73Se2J3b9mkG
         c0F8lqxFBLFn91oxsD2J9kbkQBCwgW6veQ02ib/WXE5XaMFZUuJDtRz8JKuWqiWF4jRX
         mS+w==
X-Gm-Message-State: AMke39lY+KLli1j/VtNI1Vxg/QIKhhWdaV23pNtxLPXIw7hyheQ4WoIAbeID86JciilH2Q==
X-Received: by 10.84.215.144 with SMTP id l16mr7530296pli.120.1487829731048;
        Wed, 22 Feb 2017 22:02:11 -0800 (PST)
Received: from localhost ([2001:8004:1500:53c:19ab:fc06:89f:8ff8])
        by smtp.gmail.com with ESMTPSA id a24sm6970512pfh.33.2017.02.22.22.02.09
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 22 Feb 2017 22:02:10 -0800 (PST)
Sender: Brian May <[email protected]>
From: Brian May <[email protected]>
To: herrmann <[email protected]>, [email protected]
In-Reply-To: <[email protected]>
Organization: Debian
References: <[email protected]>
Date: Thu, 23 Feb 2017 17:02:06 +1100
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain

herrmann <[email protected]> writes:

> I'm used to filter mails which contain javascript or other kinds of directly
> executable scripts. This is simply done with some regex's in postfix
> body_checks. But since some time javascript-trojans will increasingly be send
> as base64 encoded html attachment, and in this case my approach to block them
> via simple textanalysis fails.
>
> With amavis I can quarantine javascript attachments (.js), I can quarantine
> zipped attachments containing .js files - but I can't see no way, how to
> quarantine attachments, which - after base64-decoding - contain script as pure
> text.
>
> If an attachment in it's very nature is a common text file, postfix seems to be
> the first place to do some regex filtering on it. But I guess, it's beyond
> postfix's scope to recognize and decode such attachments before regexing. So it
> would be great, if them could be filtered with either amavis or with an amavis
> plugin.

Sorry, I am not 100% certain I understand what you want.

Do the $banned_filename_re or $banned_namepath_re amavisd-new perl
settings do what you want?

FYI: You might be better off asking on the amavisd-new user mailing
list, as I get the impression this is a help/support request, not a bug
report.

https://lists.amavis.org/cgi-bin/mailman/listinfo/amavis-users
-- 
Brian May <[email protected]>

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Fri May 16 00:52:05 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.