Discussion:
False positives "text/plain,.exe"
(too old to reply)
Tilman Schmidt
2016-04-26 10:12:06 UTC
Permalink
On our mailserver, Amavis is quarantining a lot of mails claiming that
they contain a banned attachment of type "text/plain,.exe" even though,
when inspecting the quarantined mail, they turn out not to contain any
attachment at all, not even an image or signature, just "text/plain"
and possibly "text/html" within "multipart/alternative".

Most frequent victims of this are mailing list messages from the Python
mailing list, but other quite innocuous individual mails are affected,
too.

This is becoming quite annoying for the users and creates unnecessary
work for the administrators to check and release all those messages.

Is this a known problem? How can it be fixed?

TIA
Tilman
Olivier Nicole
2016-04-26 10:28:05 UTC
Permalink
Post by Tilman Schmidt
On our mailserver, Amavis is quarantining a lot of mails claiming that
they contain a banned attachment of type "text/plain,.exe" even though,
when inspecting the quarantined mail, they turn out not to contain any
attachment at all, not even an image or signature, just "text/plain"
and possibly "text/html" within "multipart/alternative".
Most frequent victims of this are mailing list messages from the Python
mailing list, but other quite innocuous individual mails are affected,
too.
This is becoming quite annoying for the users and creates unnecessary
work for the administrators to check and release all those messages.
Is this a known problem? How can it be fixed?
TIA
That would request an example I think

Olivier

--
Tilman Schmidt
2016-04-26 10:47:02 UTC
Permalink
Post by Olivier Nicole
Post by Tilman Schmidt
On our mailserver, Amavis is quarantining a lot of mails claiming that
they contain a banned attachment of type "text/plain,.exe" even though,
when inspecting the quarantined mail, they turn out not to contain any
attachment at all, not even an image or signature, just "text/plain"
and possibly "text/html" within "multipart/alternative".
[...]
Post by Olivier Nicole
That would request an example I think
No prob, this here comes straight from my quarantine folder. The
message itself came from the mailing list, so I consider it public.
I just deleted the (internal) recipient address. Hope it goes through
sufficiently unmangled:

--------8<--------8<--------8<--------8<--------8<--------8<--------
Return-Path: <python-list-bounces+***@python.org>
Delivered-To: banned-quarantine
X-Envelope-To: <CENSORED>
X-Envelope-To-Blocked: <CENSORED>
X-Quarantine-ID: <IQjFj0FHSow2>
X-Amavis-Alert: BANNED, message contains text/plain,.exe
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tag=-999 tag2=3.51 kill=10.31 tests=[]
autolearn=unavailable
Authentication-Results: mail.cardtech.de (amavisd-new);
dkim=pass (1024-bit key) header.d=python.org
Received: from mail.cardtech.de ([127.0.0.1])
by localhost (mail.cardtech.de [127.0.0.1]) (amavisd-new, port
10024)
with LMTP id IQjFj0FHSow2 for <***@cardtech.de>;
Tue, 26 Apr 2016 10:33:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901;
t=1461659599; bh=FLS4ZcQOvYtjaedTcWLllSDAQg4hZKbrd+8t+nNgU5c=;
h=From:Subject:Date:References:To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From;
b=ga6GeMSl+yFfZxNqtrWgsJngj5egRwzPIyBSsVUofrYpHN1H8FNd2KMhU6jqH3fAx
GAoQEv7Oz3vlA0SZxdztAWHKpxITWtAf8r9iOoSZF10qsGZFLeqxw9vzKjs7P3OSnp
PAt5PS2nOCeTaSLJfdiVmHqQOczMauwh09UVn5Ag=
Path:
uni-berlin.de!fu-berlin.de!news.swapon.de!eternal-september.org!feeder.eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail
From: Marko Rauhamaa <***@pacujo.net>
Newsgroups: comp.lang.python
Subject: Re: def __init__(self):
Date: Tue, 26 Apr 2016 11:25:39 +0300
Organization: A noiseless patient Spider
Lines: 47
References: <34e51ef5-9679-40ec-bc8f-***@googlegroups.com>
<***@digipen.edu> <***@benfinney.id.au>
<mailman.100.1461656092.32212.python-***@python.org>
Mime-Version: 1.0
Injection-Info: mx02.eternal-september.org;
posting-host="b7cb1518d23ec19d482dcc9c31d30fdd";
logging-data="1534"; mail-complaints-to="***@eternal-september.org";
posting-account="U2FsdGVkX1+kfQYunsbiY1FNyuLpe8Xv"
Cancel-Lock: sha1:8X8YsKlZngq/uWBwK9ngVvzkR8c=
sha1:oJHhJKD222m5MlqDi9kwFVitNLY=
Xref: uni-berlin.de comp.lang.python:758676
To: python-***@python.org
X-BeenThere: python-***@python.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-***@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-***@python.org>
List-Help: <mailto:python-list-***@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-***@python.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: python-list-bounces+rzoelcher=***@python.org
Sender: "Python-list" <python-list-bounces+rzoelcher=***@python.org>

QmVuIEZpbm5leSA8YmVuK3B5dGhvbkBiZW5maW5uZXkuaWQuYXU+OgoKPiBHYXJ5IEhlcnJvbiA8
Z2hlcnJvbkBkaWdpcGVuLmVkdT4gd3JpdGVzOgo+Cj4+ICAgIFRoZSBfX2luaXRfXyBtZXRob2Qg
aXMgdGhlIGNvbnN0cnVjdG9yIGZvciBpbnN0YW5jZXMgb2YgYSBjbGFzcy4KPj4gICAgSXQgaXMg
bm90IHJlcXVpcmVkLCBidXQgdGhlIHNpdHVhdGlvbnMgaW4gd2hpY2ggYSBjb25zdHJ1Y3RvciBp
cwo+PiAgICBub3QgbmVlZGVkIGFyZSBmZXcgYW5kIHVudXN1YWwuCj4KPiBUaGF0J3MgbmVlZGxl
c3NseSBjb25mdXNpbmc6IOKAmF9faW5pdF9f4oCZIGlzIG5vdCBhIGNvbnN0cnVjdG9yIGJlY2F1
c2UKPiBpdCBkb2VzIG5vdCBjb25zdHJ1Y3QgdGhlIGluc3RhbmNlLiBUaGUg4oCYX19uZXdfX+KA
mSBtZXRob2QgaXMgdGhlCj4gY29uc3RydWN0b3IgZm9yIGEgY2xhc3MgKGFuZCByZXR1cm5zIHRo
ZSBuZXcgaW5zdGFuY2UpLgoKSSBoYXZlIG5ldmVyIGV2ZXIgaGFkIGEgdGVtcHRhdGlvbiB0byBz
cGVjaWZ5IGEgX19uZXdfXyBtZXRob2QuIEkgY2FuJ3QKaW1hZ2luZSBhICpiZW5lZmljaWFsKiBj
YXNlIG9mIG92ZXJyaWRpbmcgaXQuCgo+IFRoZSDigJhfX2luaXRfX+KAmSBtZXRob2QgcmVxdWVz
dHMgdGhlIGFscmVhZHktY29uc3RydWN0ZWQgaW5zdGFuY2UgdG8KPiBpbml0aWFsaXNlIGl0c2Vs
ZiAoYW5kIHJldHVybnMgTm9uZSkuCgpJdCBpcyBhIHNlcmlvdXMgcHJhY3RpY2FsIHByb2JsZW0g
dGhhdCBhbiBvYmplY3QgY2FuJ3QgZ3VhcmFudGVlIHRoYXQKaXRzIF9faW5pdF9fIGhhcyBiZWVu
IGNhbGxlZC4KCkNoZWNrIG91dCBzb21lIG9mIHRoZSBzdGRsaWIgc291cmNlIGNvZGUgZm9yIGV4
YW1wbGU6Cgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT0KY2xhc3MgVGhyZWFkUG9vbEV4ZWN1dG9yKF9iYXNlLkV4
ZWN1dG9yKToKICAgIGRlZiBfX2luaXRfXyhzZWxmLCBtYXhfd29ya2Vycyk6CiAgICAgICAgIiIi
SW5pdGlhbGl6ZXMgYSBuZXcgVGhyZWFkUG9vbEV4ZWN1dG9yIGluc3RhbmNlLgoKICAgICAgICBB
cmdzOgogICAgICAgICAgICBtYXhfd29ya2VyczogVGhlIG1heGltdW0gbnVtYmVyIG9mIHRocmVh
ZHMgdGhhdCBjYW4gYmUgdXNlZCB0bwogICAgICAgICAgICAgICAgZXhlY3V0ZSB0aGUgZ2l2ZW4g
Y2FsbHMuCiAgICAgICAgIiIiCiAgICAgICAgc2VsZi5fbWF4X3dvcmtlcnMgPSBtYXhfd29ya2Vy
cwogICAgICAgIHNlbGYuX3dvcmtfcXVldWUgPSBxdWV1ZS5RdWV1ZSgpCiAgICAgICAgc2VsZi5f
dGhyZWFkcyA9IHNldCgpCiAgICAgICAgc2VsZi5fc2h1dGRvd24gPSBGYWxzZQogICAgICAgIHNl
bGYuX3NodXRkb3duX2xvY2sgPSB0aHJlYWRpbmcuTG9jaygpCj09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKTm90
aWNlIGhvdyBfYmFzZS5FeGVjdXRvci5fX2luaXRfXyhzZWxmKSBkb2VzIG5vdCBnZXQgY2FsbGVk
LiBJdCBjYW4Kb25seSB3b3JrIGlmIF9iYXNlLkV4ZWN1dG9yIGRvZXMgbm90IHNwZWNpZnkgYW4g
X19pbml0X18uIFRoYXQncyBhbgphc3N1bXB0aW9uIHlvdSByZWFsbHkgY291bGRuJ3QgbWFrZSB3
aXRoIGEgY2xlYXIgY29uc2NpZW5jZSBldmVuIGlmIHlvdQp3ZXJlIHRoZSBhdXRob3IgYW5kIG1h
aW50YWluZXIgb2YgYm90aCBtb2R1bGVzCihjb25jdXJyZW50LmZ1dHVyZXMudGhyZWFkIGFuZCBj
b25jdXJyZW50LmZ1dHVyZXMuX2Jhc2UpLgoKCk1hcmtvCi0tIApodHRwczovL21haWwucHl0aG9u
Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3B5dGhvbi1saXN0Cg==
-------->8-------->8-------->8-------->8-------->8-------->8--------

aTdHvAaNnKcSe
Tilman
Tilman Schmidt
2016-04-26 10:57:31 UTC
Permalink
That's cute: when I got my copy of that message back from the list
processor it was also flagged as containing a text/plain,.exe
attachment. So whatever it is that leads Amavis to this conclusion,
it survives being included verbatim in the body of another
text/plain mail.
Post by Tilman Schmidt
Post by Olivier Nicole
Post by Tilman Schmidt
On our mailserver, Amavis is quarantining a lot of mails claiming that
they contain a banned attachment of type "text/plain,.exe" even though,
when inspecting the quarantined mail, they turn out not to contain any
attachment at all, not even an image or signature, just "text/plain"
and possibly "text/html" within "multipart/alternative".
[...]
Post by Olivier Nicole
That would request an example I think
No prob, this here comes straight from my quarantine folder. The
message itself came from the mailing list, so I consider it public.
I just deleted the (internal) recipient address. Hope it goes through
[snipped to avoid another round of bans]
Olivier Nicole
2016-04-26 11:38:44 UTC
Permalink
Post by Tilman Schmidt
That's cute: when I got my copy of that message back from the list
processor it was also flagged as containing a text/plain,.exe
attachment. So whatever it is that leads Amavis to this conclusion,
it survives being included verbatim in the body of another
text/plain mail.
I got it delivered OK. Did you change some configuration of Amavis
recently? An automatic update of the package?

Olivier
Post by Tilman Schmidt
Post by Tilman Schmidt
Post by Olivier Nicole
Post by Tilman Schmidt
On our mailserver, Amavis is quarantining a lot of mails claiming that
they contain a banned attachment of type "text/plain,.exe" even though,
when inspecting the quarantined mail, they turn out not to contain any
attachment at all, not even an image or signature, just "text/plain"
and possibly "text/html" within "multipart/alternative".
[...]
Post by Olivier Nicole
That would request an example I think
No prob, this here comes straight from my quarantine folder. The
message itself came from the mailing list, so I consider it public.
I just deleted the (internal) recipient address. Hope it goes through
[snipped to avoid another round of bans]
--
Tilman Schmidt
2016-04-26 11:46:46 UTC
Permalink
Post by Olivier Nicole
Post by Tilman Schmidt
That's cute: when I got my copy of that message back from the list
processor it was also flagged as containing a text/plain,.exe
attachment. So whatever it is that leads Amavis to this conclusion,
it survives being included verbatim in the body of another
text/plain mail.
I got it delivered OK. Did you change some configuration of Amavis
recently? An automatic update of the package?
Olivier
We recently added quarantining Microsoft Office attachments, but the
misdetection of Python mailing list mails as executable predates that.
No recent updates.
Mark.Martinec+ (Mark Martinec)
2016-04-26 15:46:09 UTC
Permalink
Post by Tilman Schmidt
On our mailserver, Amavis is quarantining a lot of mails claiming that
they contain a banned attachment of type "text/plain,.exe" even though,
when inspecting the quarantined mail, they turn out not to contain any
attachment at all, not even an image or signature, just "text/plain"
and possibly "text/html" within "multipart/alternative".
Most frequent victims of this are mailing list messages from the Python
mailing list, but other quite innocuous individual mails are affected,
too.
This is becoming quite annoying for the users and creates unnecessary
work for the administrators to check and release all those messages.
Is this a known problem? How can it be fixed?
The "text/plain,.exe" means the declared MIME part was text/plain,
but the file(1) utility decided that it is some kind of executable.

Your sample (decoded and given to a file(1) utility) here reports:

Python script, Non-ISO extended-ASCII text executable

and an entry in the @$map_full_type_to_short_type_re list
matches /\bexecutable\b/i, returning the '.exe':

[qr/\bexecutable\b/i => 'exe'],

Perhaps an entry like the following should be added to the
default @$map_full_type_to_short_type_re list:

[qr/Python script, .*text executable\b/ => 'txt'],

or the existing one relaxed:

< [qr/\bscript text executable\b/ => 'txt'],
Post by Tilman Schmidt
[qr/\bscript\b.*text executable\b/ => 'txt'],
Will do this for the 2.11 release, thanks for the report
and the sample.

Mark
Mark.Martinec+ (Mark Martinec)
2016-04-26 15:55:32 UTC
Permalink
Post by Mark.Martinec+ (Mark Martinec)
Python script, Non-ISO extended-ASCII text executable
[qr/\bexecutable\b/i => 'exe'],
The other half of a solution is to send the incorrectly qualified
sample from the Python mailing list to the maintainer of the file(1)
utility, requesting that is should not be qualified as a Python program.

Mark
Tilman Schmidt
2016-04-26 16:02:05 UTC
Permalink
Post by Mark.Martinec+ (Mark Martinec)
Post by Mark.Martinec+ (Mark Martinec)
Python script, Non-ISO extended-ASCII text executable
[qr/\bexecutable\b/i => 'exe'],
The other half of a solution is to send the incorrectly qualified
sample from the Python mailing list to the maintainer of the file(1)
utility, requesting that is should not be qualified as a Python program.
Will do.

Thanks,
Tilman
Tilman Schmidt
2016-04-26 16:59:40 UTC
Permalink
Post by Mark.Martinec+ (Mark Martinec)
The "text/plain,.exe" means the declared MIME part was text/plain,
but the file(1) utility decided that it is some kind of executable.
Python script, Non-ISO extended-ASCII text executable
[qr/\bexecutable\b/i => 'exe'],
Perhaps an entry like the following should be added to the
[qr/Python script, .*text executable\b/ => 'txt'],
< [qr/\bscript text executable\b/ => 'txt'],
Post by Tilman Schmidt
[qr/\bscript\b.*text executable\b/ => 'txt'],
Will do this for the 2.11 release, thanks for the report
and the sample.
In the meantime I have added to my local config the lines:

unshift @map_full_type_to_short_type_maps, \new_RE(
[qr/\bscript\b.*text executable\b/i => 'txt'],
);

Seems to work fine so far.

Thanks again,
Tilman

Loading...