On Fri, 6 May 2016 15:24:10 +0000
Hello Patrick
I had the same issue, you have to raise log level, then you can check if zip
file is unzipped; js are blocked, but ziped files should be opened
I solved by installing p7zip
this is not enough, you should configure amavis to use it whan you receive zip
attachments
I used this

unshift(@decoders,
['zip', \&Amavis::Unpackers::do_7zip, ['7z','7za'] ],
);

I am not an expert at all, I am very lame and I can't say this is the
proper solution, what I note was that after this configuration zipped
attachments were correctly opened

-m

Thanks for the replyMaurizio,

While watching my log files in real time just this morning (with multitail), I saw it actually catch a zipped .js file and quarantine it. I guess my setup is actually working after a. I'm just not sure why it wasn't catching the zipped .js files I was using when trying to test it.

Here's what the successful catch and quarantine looked like in my log files:

May 10 10:58:34 MyDomain postfix/smtpd[13926]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 10 10:58:34 MyDomain amavis[22701]: (22701-05) Blocked BANNED (.txt,00000306822303.js) {DiscardedInbound,Quarantined}, [1.39.38.104]:25610 [1.39.38.104] <***@kalyanimotors.com> ->
<***@MyDomain.com>, quarantine: banned-wxHJRbncZSpE, Queue-ID: 1327823BA4F6, Message-ID: <CAPXewJUV4+S3goOpP7HyrTPM7k6s0DAjWSCCdu=***@mail.gmail.com>, mail_id: wxHJRbncZSpE, Hits: -, size: 8712, 1418 ms
May 10 10:58:34 MyDomain postfix/lmtp[13919]: 1327823BA4F6: to=<***@MyDomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=1.6/0.01/0.13/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=22701-05 - BANNED: .txt,00000306822303.js)
May 10 10:58:34 MyDomain postfix/qmgr[3980]: 1327823BA4F6: removed

Thanks,
Patrick.


-----Original Message-----
From: Maurizio Marini [mailto:***@datalogica.com]
Sent: Tuesday, May 10, 2016 1:04 PM
To: Kirchner, Patrick <***@lakeland.edu>
Cc: amavis-***@amavis.org
Subject: Re: Can't Block .js files inside of .zip Email Attachments

On Fri, 6 May 2016 15:24:10 +0000
Hello Patrick
I had the same issue, you have to raise log level, then you can check if zip
file is unzipped; js are blocked, but ziped files should be opened
I solved by installing p7zip
this is not enough, you should configure amavis to use it whan you receive zip
attachments
I used this

unshift(@decoders,
['zip', \&Amavis::Unpackers::do_7zip, ['7z','7za'] ],
);

I am not an expert at all, I am very lame and I can't say this is the
proper solution, what I note was that after this configuration zipped
attachments were correctly opened

-m

I just want to warn you because 7zip cannot decode corruption zip and will
not even list files in it.
It's why i switch back to unzip to decode zip.

Thanks Mickaël. If a .zip file is corrupt though, would it also be un-zip-able? And would therefore not pose a threat?

Could you share the unzip/Unpackers line with us that you use in your amavisd.conf file please?

Thanks,
Patrick.

From: Mickaël Maillot [mailto:***@gmail.com]
Sent: Friday, May 13, 2016 5:17 AM
To: Maurizio Marini <***@datalogica.com>
Cc: Kirchner, Patrick <***@lakeland.edu>; amavis-***@amavis.org
Subject: Re: Can't Block .js files inside of .zip Email Attachments

I just want to warn you because 7zip cannot decode corruption zip and will not even list files in it.
It's why i switch back to unzip to decode zip.

2016-05-10 20:04 GMT+02:00 Maurizio Marini <***@datalogica.com<mailto:***@datalogica.com>>:
On Fri, 6 May 2016 15:24:10 +0000
Hello Patrick
I had the same issue, you have to raise log level, then you can check if zip
file is unzipped; js are blocked, but ziped files should be opened
I solved by installing p7zip
this is not enough, you should configure amavis to use it whan you receive zip
attachments
I used this

unshift(@decoders,
['zip', \&Amavis::Unpackers::do_7zip, ['7z','7za'] ],
);

I am not an expert at all, I am very lame and I can't say this is the
proper solution, what I note was that after this configuration zipped
attachments were correctly opened

-m