Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: [SOLVED] Modify Content Filter

  1. #1
    sgrzy01 is offline Active Member
    Join Date
    Dec 2008
    Posts
    25
    Rep Power
    6

    Default [SOLVED] Modify Content Filter

    We are getting alot of banned mail because of the embedded .wmf's that are in office 2007 docx's, un-be-knownst to the users who are sending the docs...

    and our users are starting to complain...

    How can I remove or at least alter this rule?

    Thanx...

    NE 601

  2. #2
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Which "rule" are you talking about that is causing these banned messages? A spamassasin rule?

    How are these messages "banned"?

  3. #3
    sgrzy01 is offline Active Member
    Join Date
    Dec 2008
    Posts
    25
    Rep Power
    6

    Default

    Sorry.. should have put more detail in the message....

    Which rule.. that is part of my problem.. I don't know which package is actaully doing the rejection...

    Here is what I get as an admin (w/ header)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Return-Path: admin@xxx.net
    Received: from zimbra.xxx.net (LHLO
    zimbra.xxx.net) (X.X.X.X) by zimbra.xxx.net
    with LMTP; Thu, 22 Oct 2009 11:02:43 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.xxx.net (Postfix) with ESMTP id 34297290034
    for <steveg@yyy.com>; Thu, 22 Oct 2009 11:02:43 -0400 (EDT)
    MIME-Version: 1.0
    From: "Content-filter at zimbra.xxx.net"
    <admin@xxx.net>
    Date: Thu, 22 Oct 2009 11:02:42 -0400 (EDT)
    Subject: BANNED contents (.wmf,word/media/image1.wmf) in mail TO YOU from
    <zzz@citrix.com>
    To: "'steveg@yyy.com'" <steveg@yyy.com>
    Message-ID: <VRKE0K4GM+nPw5@zimbra.xxx.net>
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Disposition: inline
    Content-Transfer-Encoding: 7bit

    BANNED CONTENTS ALERT

    Our content checker found
    banned name: .wmf,word/media/image1.wmf

    in an email to you from:
    zzz@citrix.com

    Content type: Banned
    Our internal reference code for your message is 28786-09/KE0K4GM+nPw5

    First upstream SMTP client IP address: [66.165.176.63] smtp02.citrix.com
    According to a 'Received:' trace, the message apparently originated at:
    [66.165.176.63], FTLPMAILBOX01.citrite.net [10.13.98.208]

    Return-Path: <zzz@citrix.com>
    From: Daria Robinson <zzz@citrix.com>
    Message-ID:
    <F40D1F28D0945448B4FFE861BFD8FD6E777E662E5E@FTLPMA ILBOX01.citrite.net>
    Subject: FW: Citrix Technical Support Renewal
    Networks
    The message has been quarantined as: banned-KE0K4GM+nPw5

    Please contact your system administrator for details.
    ~~~~~~~~~~~~~~~~~

    Thanx....

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Check in Admin GUI -> Global Settings -> Currently Blocked Extensions to see if wmf has been listed by somebody.

  5. #5
    sgrzy01 is offline Active Member
    Join Date
    Dec 2008
    Posts
    25
    Rep Power
    6

    Default

    thanx... should have been able to find that myself.. sigh... :-)

  6. #6
    pkar is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    GREECE
    Posts
    16
    Rep Power
    5

    Default

    Hello,
    is this solution (allowing wmf from extensions) ok "security wise" ?
    I mean could it be a security risk by allowing it globally ?
    Is there any other way to allow it per user (zimbra account) or per domain ?

    Thank you,
    Panagiotis

  7. #7
    mario is offline Intermediate Member
    Join Date
    Nov 2006
    Location
    Pisa - Italy - Europe - Heart
    Posts
    15
    Rep Power
    8

    Default Allow wmf only if inside docx or pptx: how to

    wmf are blocked by the following rule in amavis.conf

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wmf|wsf|wsh|xl)$'i,
    );
    the modified rule should be

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wsf|wsh|xl)$'i,
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    So wmf are checked after allowing docx or pptx.

    You can do that in 3 steps:

    1) from admin panel remove wmf from attachment ban

    2) edit /opt/zimbra/conf/amavis.conf.in and change the following lines

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list  VAR:zimbraMtaBlockedExtension |%%)$'i,
    );
    to

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
    xtension |%%)$'i, 
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    3) as zimbra execute zmamavisdctl reload to reload amavis

    Done.

    Now if a docx or a pptx has inside a wmf it is allowed.

    Remember to check after upgrade if the rule has been overwritten.

    A special thanks to Samuele Tognini ( not a forum member ) for support and suggestions.

    Mario
    Last edited by mario; 09-28-2011 at 03:44 AM.

  8. #8
    pkar is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    GREECE
    Posts
    16
    Rep Power
    5

    Default

    Quote Originally Posted by mario View Post
    wmf are blocked by the following rule in amavis.conf

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wmf|wsf|wsh|xl)$'i,
    );
    the modified rule should be

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wsf|wsh|xl)$'i,
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    So wmf are checked after allowing docx or pptx.

    You can do that in 3 steps:

    1) from admin panel remove wmf from attachment ban

    2) edit /opt/zimbra/conf/amavis.conf.in and change the following lines

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list  VAR:zimbraMtaBlockedExtension |%%)$'i,
    );
    to

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
    xtension |%%)$'i, 
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    3) as zimbra execute zmamavisdctl reload to reload amavis

    Done.

    Now if a docx or a pptx has inside a wmf it is allowed.

    Remember to check after upgrade if the rule has been overwritten.

    A special thanks to Samuele Tognini ( not a forum member ) for support and suggestions.

    Mario

    Hello,
    tried to edit the file, but I got the following error when reload amavis

    *************
    Starting amavisd...Scalar found where operator expected at /opt/zimbra/conf/amavisd.conf line 209, near ")$'i"
    (Missing operator before $'i?)
    Error in config file "/opt/zimbra/conf/amavisd.conf": syntax error at /opt/zimbra/conf/amavisd.conf line 209, near ")$'i"
    *************

    Any idea what went wrong ?

    I need also to enable wmf extensions ONLY when inside docx/pptx files, not everywhere, and I found this topic very useful

    If someone could help would be greatly appreciated,

    Regards

  9. #9
    mario is offline Intermediate Member
    Join Date
    Nov 2006
    Location
    Pisa - Italy - Europe - Heart
    Posts
    15
    Rep Power
    8

    Default

    Hello Pkar,

    the error is in the code, the right code is this:

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    That was a "cut and glue" mistake, the wrong line is the following
    Code:
    xtension |%%)$'i,
    Mario

  10. #10
    laluvirtual is offline Intermediate Member
    Join Date
    Jul 2009
    Posts
    23
    Rep Power
    5

    Default

    hello here is my problem
    +++++++++++++++++
    BANNED CONTENTS ALERT

    Our content checker found
    banned name: admin/assets/dtree/dtree.js

    in email presumably from you <someone@gmail.com>
    to the following recipient:
    -> someone@domain.com

    Our internal reference code for your message is 50921-01/ZTuq_dKJroC8

    First upstream SMTP client IP address: [209.85.220.43] mail-pa0-f43.google.com
    According to a 'Received:' trace, the message apparently originated at:
    [209.85.220.43], mail-pa0-f43.google.com mail-pa0-f43.google.com
    [209.85.220.43]

    Return-Path: <someone@gmail.com> (OK)
    From: =?ISO-8859-1?Q?laluvirtual=AE?= <someone@gmail.com> (dkim:AUTHOR)
    Message-ID:
    <CAFSbqH6UK9_aam61raKCcwUDTe1Rw0jrcc3n4NEWqTgbyAdG zQ@mail.gmail.com>
    Subject: testing
    +++++++++++++++++++++++++++++++++


    im trying unchecked "Block encrypted archives" and also remove all extension in "Currently blocked extensions by MTA" but not work
    im using zimbra Release 8.0.0
    any suggestion?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Vexira VAMS as Content Filter?
    By vexira in forum Administrators
    Replies: 0
    Last Post: 10-09-2008, 04:07 PM
  2. Deferred Email - Content Filter: Undefined
    By Ericx in forum Administrators
    Replies: 0
    Last Post: 02-19-2008, 11:48 AM
  3. Filter rules for chinese content
    By chanck in forum Users
    Replies: 1
    Last Post: 06-30-2007, 01:55 PM
  4. Custom Content Filter Messages
    By cshepherd in forum Administrators
    Replies: 3
    Last Post: 04-15-2007, 10:38 PM
  5. content filter attacked?
    By ahhhh in forum Administrators
    Replies: 2
    Last Post: 03-26-2007, 05:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •