Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: E-Mail with JPEG attachment banned??

  1. #1
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default E-Mail with JPEG attachment banned??

    Hey Guys,

    Here's another one I'm a little stumped on. Someone from the outside is trying to e-mail one of our users a scanned document in the form of a JPEG. For reasons I cannot figure out, their e-mail is getting banned.

    Code:
    No viruses were found.
    
    Banned name: .image,.jpg,SCAN0004.JPG
    Content type: Banned
    Internal reference code for the message is 23441-17/E8T7wSivQ+b1
    
    First upstream SMTP client IP address: [66.196.114.23]
      omp310.mail.re3.yahoo.com
    According to a 'Received:' trace, the message apparently originated at:
      [70.108.11.93], [70.108.11.93]
    
    Return-Path: <sender@yahoo.com> (OK)
    From: stephen sender <sender@yahoo.com> (dkim:AUTHOR)
    Message-ID: <742551.17542.qm@web53403.mail.re2.yahoo.com>
    Subject: Form
    The message has been quarantined as: banned-E8T7wSivQ+b1
    
    The message WAS NOT relayed to:
    <recipient@ourserver.org>:
       554 5.7.0 Reject, id=23441-17 - BANNED: .image,.jpg,SCAN0004.JPG
    Headers included with the message sent to the Administrator:

    Code:
    Return-Path: <sender@yahoo.com>
    X-Greylist: delayed 401 seconds by postgrey-1.27 at mail; Tue, 23 Feb 2010 13:43:16 PST
    Received: from omp310.mail.re3.yahoo.com (omp310.mail.re3.yahoo.com [66.196.114.23])
    	by mail.ourserver.org (Postfix) with SMTP id BDF18CD0001
    	for <recipient@ourserver.org>; Tue, 23 Feb 2010 13:43:16 -0800 (PST)
    Received: (qmail 20774 invoked by uid 1000); 23 Feb 2010 21:36:34 -0000
    Received: (qmail 18552 invoked by uid 60001); 23 Feb 2010 21:36:31 -0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1266960985; bh=V/RQfw2aLJ1/Yg2h5d7AYKsSNRFFhseVD6JER5s1wVE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=31pHFA12rFgSKDPALst+OK6eoAHrGme/5yA/4X8iQgoSh96VAgBzgGtOeI/IKcal47M+smwHN2VQ+u8PsmAgeRqKUgOPAr8JmTZHsjF0f2Xc4hl8mMfxChRTu4qvpEHI4oyBvulpG6Volt4Eg0qUU/3Bfh3NImyUg//GUcoOLSg=
    DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
      s=s1024; d=yahoo.com;
      h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
      b=RD3odG6PZGz+849GG70AoY5olMvSaJoZAQPiAeyNjLArqUqMCWWphwwhRPnr2jhnFhECrpOJQu7zJMAtXJI/sOtHvYvoebuGs+8WB0tQYcsygEmyagX0OcuTyohruLA3EaskI0H1VAg6gxdLUD+ZBYrDKIRHNGlgc3DGM7hTKhs=;
    Message-ID: <742551.17542.qm@web53403.mail.re2.yahoo.com>
    X-YMail-OSG: Y.XO6WYVM1kJWgUYmFYSTf4HVIonVJ0A1Asj3uMq2YNPF38gxRfKhMUQl64.2Cq_MauD0BiEpW0aTD_RR.rE0VlBYx4b4fLV5buPIUuhTfIDkmbilsZ9_jyA3wm0xQTwyCJsXN4xpebcHCBa0xxfz38UOr2KjSxHw_itwOChvvh3f5VxkE2TWF.G2NZvuSF3mmZEZoMp2W6geDe5ugIiKjRII0055VCx8DOOywGGvVdwHRjJI9ggzGZjjEwWbi5kcf9KwGFJunaV9DEyuCEhaRhlVYehfwCioJXi7Zo-
    Received: from [70.108.11.93] by web53403.mail.re2.yahoo.com via HTTP; Tue, 23 Feb 2010 13:36:25 PST
    X-Mailer: YahooMailRC/300.3 YahooMailWebService/0.8.100.260964
    Date: Tue, 23 Feb 2010 13:36:25 -0800 (PST)
    From: stephen Sender <sender@yahoo.com>
    Subject: Form
    To: recipient@ourserver.org
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="0-1087031266-1266960985=:17542"
    I'm not blocking images or the .JPG extension as far as attachments go.

    We are running Zimbra 6.0.5_GA_2213.DEBIAN4.0.FOSS

    Any help would be appreciated. Thanks!!

  2. #2
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Here's another example, but this time it's with a .doc file:

    Code:
    No viruses were found.
    
    Banned name: .doc,AB1721FactSheet2_12_10.doc
    Content type: Banned
    Internal reference code for the message is 01335-03/5Rtgpy3GD0yd
    
    First upstream SMTP client IP address: [205.188.169.203] imr-da06.mx.aol.com
    According to a 'Received:' trace, the message apparently originated at:
      [205.188.169.202], magic-m15.mail.aol.com magic-m15.mail.aol.com
      [172.21.145.217]
    
    Return-Path: <sender@aol.com>
    From: sender@aol.com
    Message-ID: <1ea00.3aba92e1.38b49a37@aol.com>
    Subject: info re: AB1821
    The message has been quarantined as: banned-5Rtgpy3GD0yd
    
    The message WAS NOT relayed to:
    <recipient@ourserver.org>:
       554 5.7.0 Reject, id=01335-03 - BANNED: .doc,AB1721FactSheet2_12_10.doc
    Accompanying headers:

    Code:
    Received: from imr-da06.mx.aol.com (imr-da06.mx.aol.com [205.188.169.203])
    	by mail.ourserver.org (Postfix) with ESMTP id D5294CD0003
    	for <recipient@ourserver.org>; Mon, 22 Feb 2010 18:41:29 -0800 (PST)
    Received: from imo-da04.mx.aol.com (imo-da04.mx.aol.com [205.188.169.202])
    	by imr-da06.mx.aol.com (8.14.1/8.14.1) with ESMTP id o1N2f0Au018958;
    	Mon, 22 Feb 2010 21:41:00 -0500
    Received: from sender@aol.com
    	by imo-da04.mx.aol.com  (mail_out_v42.9.) id 6.d62.54764687 (45275);
    	Mon, 22 Feb 2010 21:40:59 -0500 (EST)
    Received: from magic-m15.mail.aol.com (magic-m15.mail.aol.com [172.21.145.217]) by cia-mc03.mx.aol.com (v127.7) with ESMTP id MAILCIAMC035-b0db4b8340372d1; Mon, 22 Feb 2010 21:40:55 -0500
    From: sender@aol.com
    Message-ID: <1ea00.3aba92e1.38b49a37@aol.com>
    Date: Mon, 22 Feb 2010 21:40:55 EST
    Subject: info re: AB1821
    To: A ton of people plus recipient@ourserver.org
    CC: two others
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="part1_1ea00.3aba92e1.38b49a37_boundary"
    X-Mailer: AOL 9.0 VR sub 5004
    X-AOL-ORIG-IP: 98.238.189.139
    X-AOL-IP: 172.21.145.217
    X-AOL-VSS-CODE: clean
    X-AOL-VSS-INFO: 5400.1158/0
    X-Spam-Flag:NO
    X-AOL-SENDER: CSNOExec@aol.com
    We most definitely don't block attachments with the .doc extension. If no viruses were found, why would it be blocked?

    I e-mailed my account via my personal GMail address and attached a JPEG picture. It was received without any problems. Did the same with a Word document...no problems.
    Last edited by thunder04; 02-23-2010 at 03:30 PM.

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    What does the following show
    Code:
    su - zimbra
    zmprov gcf zimbraMtaBlockedExtension

  4. #4
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Code:
    root@cottontail:~# su - zimbra
    zimbra@cottontail:~$ zmprov gcf zimbraMtaBlockedExtension
    zimbraMtaBlockedExtension: zip
    zimbraMtaBlockedExtension: bat
    zimbraMtaBlockedExtension: com
    zimbraMtaBlockedExtension: exe
    zimbraMtaBlockedExtension: dll
    zimbraMtaBlockedExtension: pif
    zimbraMtaBlockedExtension: scr
    zimbraMtaBlockedExtension: vbs
    zimbraMtaBlockedExtension: chm
    zimbraMtaBlockedExtension: hta
    zimbraMtaBlockedExtension: shs
    zimbra@cottontail:~$
    Exactly what the admin GUI reflects, hence my confusion! lol

  5. #5
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Well as the error says :-

    Banned name: .image,.jpg,SCAN0004.JPG

    not sure how you managed to create attachment with this name

    ( offcourse assuming you working with windows desktop )

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    No to sure that is the case Veronica; I believe we would need to see the MIME headers as well.

  7. #7
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    How I managed to create an attachment with this name?? I wasn't the sender in either case. The first example was a parent trying to e-mail a school secretary a form. The second example is to our district nurse...I don't know who it's from.

    In both examples above, the e-mails came from people outside of our mail system.

    Has the quarantine location changed with Zimbra 6.0.x? I can't seem to find the "banned" e-mail. Can someone point me to the new location (or am I just an idiot?)? I'll post MIME headers of both examples.

  8. #8
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    I agree with you ubox, but if you see in all the mail headers there are unique attachment names:-

    Banned name: .image,.jpg,SCAN0004.JPG
    Banned name: .doc,AB1721FactSheet2_12_10.doc

    These somehow doesnt seems normal to me. Can we give a try changing name to something reasonable ? What you say ?

  9. #9
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    I would take a look in /opt/zimbra/conf/amavisd.conf to see what amavis is doing directly. Look for the following (your extensions may vary!):

    Code:
    # for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
    
    $banned_filename_re = new_RE(
      # banned extension - basic
      qr'.\.(asd|bat|chm|cmd|com|dll|exe|hlp|hta|js|jse|lnk|ocx|pif|reg|rm|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wmf|wsf|wsh)$'i, 
    );
    # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
    # and http://www.cknow.com/vtutor/vtextensions.htm
    If they are different, then I'd check that /opt/zimbra/conf/amavisd.conf.in contains the following block:

    Code:
    # for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
    
    $banned_filename_re = new_RE(
      # banned extension - basic
      %%uncomment VAR:zimbraMtaBlockedExtension%%qr'.\.(%%list VAR:zimbraMtaBlockedExtension |%%)$'i, 
    );
    # See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
    # and http://www.cknow.com/vtutor/vtextensions.htm
    Assuming all is in order, then I'd try restarting amavis as the zimbra user:

    Code:
    zmamavisdctl stop; zmamavisdctl status; zmamavisdctl start; zmamavisdctl status
    While doing the above, watch in a separate window via top that all the old amavis processes are indeed killed by the Zimbra scripts.

    Don't worry about losing any email! Postfix doesn't actually delete any email until after amavis has finished processing it.

    Hope that helps,
    Mark

    Hope that helps,
    Mark

  10. #10
    Join Date
    Dec 2007
    Location
    Stockton, CA
    Posts
    164
    Rep Power
    7

    Default

    Quote Originally Posted by veronica View Post
    I agree with you ubox, but if you see in all the mail headers there are unique attachment names:-

    Banned name: .image,.jpg,SCAN0004.JPG
    Banned name: .doc,AB1721FactSheet2_12_10.doc

    These somehow doesnt seems normal to me. Can we give a try changing name to something reasonable ? What you say ?
    The only problem is that I don't know how to re-create this anomaly. As I stated before, these are from external people I'm not associated with.

    As far as the email with "SCAN0004.JPG", I told the secretary to e-mail the sender and ask them to change the file name. She just let me know that she was able to receive the scanned document without any trouble after that.

    As for the e-mail with "AB1721FactSheet2_12_10.doc", I'm not sure. I created a Word document and named it exactly that. I sent it to my Zimbra account via my Gmail account and it came through fine.

Similar Threads

  1. Replies: 20
    Last Post: 03-18-2008, 06:37 AM
  2. Replies: 2
    Last Post: 02-12-2008, 11:55 AM
  3. DynDNS and Zimbra
    By afterwego in forum Installation
    Replies: 30
    Last Post: 04-01-2007, 04:34 PM
  4. fatal: Queue report unavailable - mail system is down
    By zzzzsg in forum Administrators
    Replies: 16
    Last Post: 08-24-2006, 03:31 AM
  5. Seeming variety of problems on suse-9.1
    By Crexis in forum Installation
    Replies: 52
    Last Post: 03-04-2006, 12:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •