E-Mail with JPEG attachment banned??

[thunder04]

Hey Guys,

Here's another one I'm a little stumped on. Someone from the outside is trying to e-mail one of our users a scanned document in the form of a JPEG. For reasons I cannot figure out, their e-mail is getting banned.

Code:

No viruses were found.

Banned name: .image,.jpg,SCAN0004.JPG
Content type: Banned
Internal reference code for the message is 23441-17/E8T7wSivQ+b1

First upstream SMTP client IP address: [66.196.114.23]
  omp310.mail.re3.yahoo.com
According to a 'Received:' trace, the message apparently originated at:
  [70.108.11.93], [70.108.11.93]

Return-Path: <sender@yahoo.com> (OK)
From: stephen sender <sender@yahoo.com> (dkim:AUTHOR)
Message-ID: <742551.17542.qm@web53403.mail.re2.yahoo.com>
Subject: Form
The message has been quarantined as: banned-E8T7wSivQ+b1

The message WAS NOT relayed to:
<recipient@ourserver.org>:
   554 5.7.0 Reject, id=23441-17 - BANNED: .image,.jpg,SCAN0004.JPG

Headers included with the message sent to the Administrator:

Code:

Return-Path: <sender@yahoo.com>
X-Greylist: delayed 401 seconds by postgrey-1.27 at mail; Tue, 23 Feb 2010 13:43:16 PST
Received: from omp310.mail.re3.yahoo.com (omp310.mail.re3.yahoo.com [66.196.114.23])
	by mail.ourserver.org (Postfix) with SMTP id BDF18CD0001
	for <recipient@ourserver.org>; Tue, 23 Feb 2010 13:43:16 -0800 (PST)
Received: (qmail 20774 invoked by uid 1000); 23 Feb 2010 21:36:34 -0000
Received: (qmail 18552 invoked by uid 60001); 23 Feb 2010 21:36:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1266960985; bh=V/RQfw2aLJ1/Yg2h5d7AYKsSNRFFhseVD6JER5s1wVE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=31pHFA12rFgSKDPALst+OK6eoAHrGme/5yA/4X8iQgoSh96VAgBzgGtOeI/IKcal47M+smwHN2VQ+u8PsmAgeRqKUgOPAr8JmTZHsjF0f2Xc4hl8mMfxChRTu4qvpEHI4oyBvulpG6Volt4Eg0qUU/3Bfh3NImyUg//GUcoOLSg=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=RD3odG6PZGz+849GG70AoY5olMvSaJoZAQPiAeyNjLArqUqMCWWphwwhRPnr2jhnFhECrpOJQu7zJMAtXJI/sOtHvYvoebuGs+8WB0tQYcsygEmyagX0OcuTyohruLA3EaskI0H1VAg6gxdLUD+ZBYrDKIRHNGlgc3DGM7hTKhs=;
Message-ID: <742551.17542.qm@web53403.mail.re2.yahoo.com>
X-YMail-OSG: Y.XO6WYVM1kJWgUYmFYSTf4HVIonVJ0A1Asj3uMq2YNPF38gxRfKhMUQl64.2Cq_MauD0BiEpW0aTD_RR.rE0VlBYx4b4fLV5buPIUuhTfIDkmbilsZ9_jyA3wm0xQTwyCJsXN4xpebcHCBa0xxfz38UOr2KjSxHw_itwOChvvh3f5VxkE2TWF.G2NZvuSF3mmZEZoMp2W6geDe5ugIiKjRII0055VCx8DOOywGGvVdwHRjJI9ggzGZjjEwWbi5kcf9KwGFJunaV9DEyuCEhaRhlVYehfwCioJXi7Zo-
Received: from [70.108.11.93] by web53403.mail.re2.yahoo.com via HTTP; Tue, 23 Feb 2010 13:36:25 PST
X-Mailer: YahooMailRC/300.3 YahooMailWebService/0.8.100.260964
Date: Tue, 23 Feb 2010 13:36:25 -0800 (PST)
From: stephen Sender <sender@yahoo.com>
Subject: Form
To: recipient@ourserver.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1087031266-1266960985=:17542"

I'm not blocking images or the .JPG extension as far as attachments go.

We are running Zimbra 6.0.5_GA_2213.DEBIAN4.0.FOSS

Any help would be appreciated. Thanks!!

[thunder04]

Here's another example, but this time it's with a .doc file:

Code:

No viruses were found.

Banned name: .doc,AB1721FactSheet2_12_10.doc
Content type: Banned
Internal reference code for the message is 01335-03/5Rtgpy3GD0yd

First upstream SMTP client IP address: [205.188.169.203] imr-da06.mx.aol.com
According to a 'Received:' trace, the message apparently originated at:
  [205.188.169.202], magic-m15.mail.aol.com magic-m15.mail.aol.com
  [172.21.145.217]

Return-Path: <sender@aol.com>
From: sender@aol.com
Message-ID: <1ea00.3aba92e1.38b49a37@aol.com>
Subject: info re: AB1821
The message has been quarantined as: banned-5Rtgpy3GD0yd

The message WAS NOT relayed to:
<recipient@ourserver.org>:
   554 5.7.0 Reject, id=01335-03 - BANNED: .doc,AB1721FactSheet2_12_10.doc

Accompanying headers:

Code:

Received: from imr-da06.mx.aol.com (imr-da06.mx.aol.com [205.188.169.203])
	by mail.ourserver.org (Postfix) with ESMTP id D5294CD0003
	for <recipient@ourserver.org>; Mon, 22 Feb 2010 18:41:29 -0800 (PST)
Received: from imo-da04.mx.aol.com (imo-da04.mx.aol.com [205.188.169.202])
	by imr-da06.mx.aol.com (8.14.1/8.14.1) with ESMTP id o1N2f0Au018958;
	Mon, 22 Feb 2010 21:41:00 -0500
Received: from sender@aol.com
	by imo-da04.mx.aol.com  (mail_out_v42.9.) id 6.d62.54764687 (45275);
	Mon, 22 Feb 2010 21:40:59 -0500 (EST)
Received: from magic-m15.mail.aol.com (magic-m15.mail.aol.com [172.21.145.217]) by cia-mc03.mx.aol.com (v127.7) with ESMTP id MAILCIAMC035-b0db4b8340372d1; Mon, 22 Feb 2010 21:40:55 -0500
From: sender@aol.com
Message-ID: <1ea00.3aba92e1.38b49a37@aol.com>
Date: Mon, 22 Feb 2010 21:40:55 EST
Subject: info re: AB1821
To: A ton of people plus recipient@ourserver.org
CC: two others
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="part1_1ea00.3aba92e1.38b49a37_boundary"
X-Mailer: AOL 9.0 VR sub 5004
X-AOL-ORIG-IP: 98.238.189.139
X-AOL-IP: 172.21.145.217
X-AOL-VSS-CODE: clean
X-AOL-VSS-INFO: 5400.1158/0
X-Spam-Flag:NO
X-AOL-SENDER: CSNOExec@aol.com

We most definitely don't block attachments with the .doc extension. If no viruses were found, why would it be blocked?

I e-mailed my account via my personal GMail address and attached a JPEG picture. It was received without any problems. Did the same with a Word document...no problems.

[uxbod]

What does the following show

Code:

su - zimbra
zmprov gcf zimbraMtaBlockedExtension

[thunder04]

Code:

root@cottontail:~# su - zimbra
zimbra@cottontail:~$ zmprov gcf zimbraMtaBlockedExtension
zimbraMtaBlockedExtension: zip
zimbraMtaBlockedExtension: bat
zimbraMtaBlockedExtension: com
zimbraMtaBlockedExtension: exe
zimbraMtaBlockedExtension: dll
zimbraMtaBlockedExtension: pif
zimbraMtaBlockedExtension: scr
zimbraMtaBlockedExtension: vbs
zimbraMtaBlockedExtension: chm
zimbraMtaBlockedExtension: hta
zimbraMtaBlockedExtension: shs
zimbra@cottontail:~$

Exactly what the admin GUI reflects, hence my confusion! lol

[veronica]

Well as the error says :-

Banned name: .image,.jpg,SCAN0004.JPG

not sure how you managed to create attachment with this name

( offcourse assuming you working with windows desktop )

[uxbod]

No to sure that is the case Veronica; I believe we would need to see the MIME headers as well.

[thunder04]

How I managed to create an attachment with this name?? I wasn't the sender in either case. The first example was a parent trying to e-mail a school secretary a form. The second example is to our district nurse...I don't know who it's from.

In both examples above, the e-mails came from people outside of our mail system.

Has the quarantine location changed with Zimbra 6.0.x? I can't seem to find the "banned" e-mail. Can someone point me to the new location (or am I just an idiot?)? I'll post MIME headers of both examples.

[veronica]

I agree with you ubox, but if you see in all the mail headers there are unique attachment names:-

Banned name: .image,.jpg,SCAN0004.JPG
Banned name: .doc,AB1721FactSheet2_12_10.doc

These somehow doesnt seems normal to me. Can we give a try changing name to something reasonable ? What you say ?

[LMStone]

I would take a look in /opt/zimbra/conf/amavisd.conf to see what amavis is doing directly. Look for the following (your extensions may vary!):

Code:

# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample

$banned_filename_re = new_RE(
  # banned extension - basic
  qr'.\.(asd|bat|chm|cmd|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wmf|wsf|wsh)$'i, 
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm

If they are different, then I'd check that /opt/zimbra/conf/amavisd.conf.in contains the following block:

Code:

# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample

$banned_filename_re = new_RE(
  # banned extension - basic
  %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm

Assuming all is in order, then I'd try restarting amavis as the zimbra user:

Code:

zmamavisdctl stop; zmamavisdctl status; zmamavisdctl start; zmamavisdctl status

While doing the above, watch in a separate window via top that all the old amavis processes are indeed killed by the Zimbra scripts.

Don't worry about losing any email! Postfix doesn't actually delete any email until after amavis has finished processing it.

Hope that helps,
Mark

Hope that helps,
Mark

[thunder04]

Quote:

Originally Posted by veronica

I agree with you ubox, but if you see in all the mail headers there are unique attachment names:-

Banned name: .image,.jpg,SCAN0004.JPG
Banned name: .doc,AB1721FactSheet2_12_10.doc

These somehow doesnt seems normal to me. Can we give a try changing name to something reasonable ? What you say ?

The only problem is that I don't know how to re-create this anomaly. As I stated before, these are from external people I'm not associated with.

As far as the email with "SCAN0004.JPG", I told the secretary to e-mail the sender and ask them to change the file name. She just let me know that she was able to receive the scanned document without any trouble after that.

As for the e-mail with "AB1721FactSheet2_12_10.doc", I'm not sure. I created a Word document and named it exactly that. I sent it to my Zimbra account via my Gmail account and it came through fine.