Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: [SOLVED] Modify Content Filter

  1. #1
    Join Date
    Dec 2008
    Posts
    25
    Rep Power
    6

    Default [SOLVED] Modify Content Filter

    We are getting alot of banned mail because of the embedded .wmf's that are in office 2007 docx's, un-be-knownst to the users who are sending the docs...

    and our users are starting to complain...

    How can I remove or at least alter this rule?

    Thanx...

    NE 601

  2. #2
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Which "rule" are you talking about that is causing these banned messages? A spamassasin rule?

    How are these messages "banned"?

  3. #3
    Join Date
    Dec 2008
    Posts
    25
    Rep Power
    6

    Default

    Sorry.. should have put more detail in the message....

    Which rule.. that is part of my problem.. I don't know which package is actaully doing the rejection...

    Here is what I get as an admin (w/ header)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Return-Path: admin@xxx.net
    Received: from zimbra.xxx.net (LHLO
    zimbra.xxx.net) (X.X.X.X) by zimbra.xxx.net
    with LMTP; Thu, 22 Oct 2009 11:02:43 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by zimbra.xxx.net (Postfix) with ESMTP id 34297290034
    for <steveg@yyy.com>; Thu, 22 Oct 2009 11:02:43 -0400 (EDT)
    MIME-Version: 1.0
    From: "Content-filter at zimbra.xxx.net"
    <admin@xxx.net>
    Date: Thu, 22 Oct 2009 11:02:42 -0400 (EDT)
    Subject: BANNED contents (.wmf,word/media/image1.wmf) in mail TO YOU from
    <zzz@citrix.com>
    To: "'steveg@yyy.com'" <steveg@yyy.com>
    Message-ID: <VRKE0K4GM+nPw5@zimbra.xxx.net>
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Disposition: inline
    Content-Transfer-Encoding: 7bit

    BANNED CONTENTS ALERT

    Our content checker found
    banned name: .wmf,word/media/image1.wmf

    in an email to you from:
    zzz@citrix.com

    Content type: Banned
    Our internal reference code for your message is 28786-09/KE0K4GM+nPw5

    First upstream SMTP client IP address: [66.165.176.63] smtp02.citrix.com
    According to a 'Received:' trace, the message apparently originated at:
    [66.165.176.63], FTLPMAILBOX01.citrite.net [10.13.98.208]

    Return-Path: <zzz@citrix.com>
    From: Daria Robinson <zzz@citrix.com>
    Message-ID:
    <F40D1F28D0945448B4FFE861BFD8FD6E777E662E5E@FTLPMA ILBOX01.citrite.net>
    Subject: FW: Citrix Technical Support Renewal
    Networks
    The message has been quarantined as: banned-KE0K4GM+nPw5

    Please contact your system administrator for details.
    ~~~~~~~~~~~~~~~~~

    Thanx....

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Check in Admin GUI -> Global Settings -> Currently Blocked Extensions to see if wmf has been listed by somebody.

  5. #5
    Join Date
    Dec 2008
    Posts
    25
    Rep Power
    6

    Default

    thanx... should have been able to find that myself.. sigh... :-)

  6. #6
    Join Date
    Mar 2010
    Location
    GREECE
    Posts
    16
    Rep Power
    5

    Default

    Hello,
    is this solution (allowing wmf from extensions) ok "security wise" ?
    I mean could it be a security risk by allowing it globally ?
    Is there any other way to allow it per user (zimbra account) or per domain ?

    Thank you,
    Panagiotis

  7. #7
    Join Date
    Nov 2006
    Location
    Pisa - Italy - Europe - Heart
    Posts
    15
    Rep Power
    9

    Default Allow wmf only if inside docx or pptx: how to

    wmf are blocked by the following rule in amavis.conf

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wmf|wsf|wsh|xl)$'i,
    );
    the modified rule should be

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wsf|wsh|xl)$'i,
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    So wmf are checked after allowing docx or pptx.

    You can do that in 3 steps:

    1) from admin panel remove wmf from attachment ban

    2) edit /opt/zimbra/conf/amavis.conf.in and change the following lines

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list  VAR:zimbraMtaBlockedExtension |%%)$'i,
    );
    to

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
    xtension |%%)$'i, 
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    3) as zimbra execute zmamavisdctl reload to reload amavis

    Done.

    Now if a docx or a pptx has inside a wmf it is allowed.

    Remember to check after upgrade if the rule has been overwritten.

    A special thanks to Samuele Tognini ( not a forum member ) for support and suggestions.

    Mario
    Last edited by mario; 09-28-2011 at 04:44 AM.

  8. #8
    Join Date
    Mar 2010
    Location
    GREECE
    Posts
    16
    Rep Power
    5

    Default

    Quote Originally Posted by mario View Post
    wmf are blocked by the following rule in amavis.conf

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wmf|wsf|wsh|xl)$'i,
    );
    the modified rule should be

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|mov|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wav|wsf|wsh|xl)$'i,
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    So wmf are checked after allowing docx or pptx.

    You can do that in 3 steps:

    1) from admin panel remove wmf from attachment ban

    2) edit /opt/zimbra/conf/amavis.conf.in and change the following lines

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list  VAR:zimbraMtaBlockedExtension |%%)$'i,
    );
    to

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
    xtension |%%)$'i, 
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    3) as zimbra execute zmamavisdctl reload to reload amavis

    Done.

    Now if a docx or a pptx has inside a wmf it is allowed.

    Remember to check after upgrade if the rule has been overwritten.

    A special thanks to Samuele Tognini ( not a forum member ) for support and suggestions.

    Mario

    Hello,
    tried to edit the file, but I got the following error when reload amavis

    *************
    Starting amavisd...Scalar found where operator expected at /opt/zimbra/conf/amavisd.conf line 209, near ")$'i"
    (Missing operator before $'i?)
    Error in config file "/opt/zimbra/conf/amavisd.conf": syntax error at /opt/zimbra/conf/amavisd.conf line 209, near ")$'i"
    *************

    Any idea what went wrong ?

    I need also to enable wmf extensions ONLY when inside docx/pptx files, not everywhere, and I found this topic very useful

    If someone could help would be greatly appreciated,

    Regards

  9. #9
    Join Date
    Nov 2006
    Location
    Pisa - Italy - Europe - Heart
    Posts
    15
    Rep Power
    9

    Default

    Hello Pkar,

    the error is in the code, the right code is this:

    Code:
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
     [ qr'.\.(docx|pptx)$'=> 0 ],  # allow docx and pptx
     qr'.\.wmf$'i,  # ban wmf
    );
    That was a "cut and glue" mistake, the wrong line is the following
    Code:
    xtension |%%)$'i,
    Mario

  10. #10
    Join Date
    Jul 2009
    Posts
    23
    Rep Power
    6

    Default

    hello here is my problem
    +++++++++++++++++
    BANNED CONTENTS ALERT

    Our content checker found
    banned name: admin/assets/dtree/dtree.js

    in email presumably from you <someone@gmail.com>
    to the following recipient:
    -> someone@domain.com

    Our internal reference code for your message is 50921-01/ZTuq_dKJroC8

    First upstream SMTP client IP address: [209.85.220.43] mail-pa0-f43.google.com
    According to a 'Received:' trace, the message apparently originated at:
    [209.85.220.43], mail-pa0-f43.google.com mail-pa0-f43.google.com
    [209.85.220.43]

    Return-Path: <someone@gmail.com> (OK)
    From: =?ISO-8859-1?Q?laluvirtual=AE?= <someone@gmail.com> (dkim:AUTHOR)
    Message-ID:
    <CAFSbqH6UK9_aam61raKCcwUDTe1Rw0jrcc3n4NEWqTgbyAdG zQ@mail.gmail.com>
    Subject: testing
    +++++++++++++++++++++++++++++++++


    im trying unchecked "Block encrypted archives" and also remove all extension in "Currently blocked extensions by MTA" but not work
    im using zimbra Release 8.0.0
    any suggestion?

Similar Threads

  1. Vexira VAMS as Content Filter?
    By vexira in forum Administrators
    Replies: 0
    Last Post: 10-09-2008, 05:07 PM
  2. Deferred Email - Content Filter: Undefined
    By Ericx in forum Administrators
    Replies: 0
    Last Post: 02-19-2008, 11:48 AM
  3. Filter rules for chinese content
    By chanck in forum Users
    Replies: 1
    Last Post: 06-30-2007, 02:55 PM
  4. Custom Content Filter Messages
    By cshepherd in forum Administrators
    Replies: 3
    Last Post: 04-15-2007, 11:38 PM
  5. content filter attacked?
    By ahhhh in forum Administrators
    Replies: 2
    Last Post: 03-26-2007, 06:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •