Discussion:
Meaning of ".asc" in BANNED messages
(too old to reply)
@lbutlr
2016-03-08 15:58:31 UTC
Permalink
No viruses were found.
Banned name: .asc,letter.212885777.js
Content type: Banned
The banned name always matches .asc,<something>.js (usually letter or invoice and a number).

What is “.asc” since that is not a banned attachment.

$banned_filename_re = new_RE(

### BLOCKED ANYWHERE
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
[ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives

### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
[ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives

### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives

qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmf|wsc|wsf|wsh)$'ix, # banned extensions - long
qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
qr'^\.ani$', # banned animated cursor file(1) type
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
);
--
'Dojo! What is Rule One?' Even the cowering challenger mumbled along to
the chorus: 'Do not act incautiously when confronting little bald
wrinkly smiling men!'
Tom Hendrikx
2016-03-08 17:31:23 UTC
Permalink
Hi,

A pgp signature, this message has one


Regards,
Tom
Post by @lbutlr
No viruses were found.
Banned name: .asc,letter.212885777.js
Content type: Banned
The banned name always matches .asc,<something>.js (usually letter or invoice and a number).
What is “.asc” since that is not a banned attachment.
$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
[ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
[ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmf|wsc|wsf|wsh)$'ix, # banned extensions - long
qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
qr'^\.ani$', # banned animated cursor file(1) type
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
);
@lbutlr
2016-03-08 18:15:28 UTC
Permalink
Post by Tom Hendrikx
Post by @lbutlr
What is “.asc” since that is not a banned attachment.
A pgp signature, this message has one
There is no way that every one of these javascript-containing messages has a pgp signature.
--
Get in there you big furry oaf! I don't care what you smell!
Tom Hendrikx
2016-03-08 18:21:55 UTC
Permalink
Post by @lbutlr
Post by Tom Hendrikx
Post by @lbutlr
What is “.asc” since that is not a banned attachment.
A pgp signature, this message has one
There is no way that every one of these javascript-containing
messages has a pgp signature.
It's probably an evil javascript simply trying to mask as a pgp sig.

Regards,
Tom
@lbutlr
2016-03-08 23:36:11 UTC
Permalink
Post by Tom Hendrikx
Post by @lbutlr
Post by Tom Hendrikx
Post by @lbutlr
What is “.asc” since that is not a banned attachment.
A pgp signature, this message has one
There is no way that every one of these javascript-containing
messages has a pgp signature.
It's probably an evil javascript simply trying to mask as a pgp sig.
No. *EVERY* message that hits BANNED has the same pattern,

.asc,<something>.js

100%. No exceptions.

Considering I can count on one hand with not all the fingers the number of spam messages I’ve ever seen with faked PGP sig, this is something else.
--
CURSIVE WRITING DOES NOT MEAN WHAT I THINK IT DOES Bart chalkboard Ep.
2F11
Thomas Jarosch
2016-03-10 14:29:43 UTC
Permalink
Post by @lbutlr
Post by Tom Hendrikx
Post by @lbutlr
There is no way that every one of these javascript-containing
messages has a pgp signature.
It's probably an evil javascript simply trying to mask as a pgp sig.
No. *EVERY* message that hits BANNED has the same pattern,
.asc,<something>.js
100%. No exceptions.
Considering I can count on one hand with not all the fingers the number of
spam messages I’ve ever seen with faked PGP sig, this is something else.
we had the same problem: Some local users are allowed to send/receive
PGP encrypted emails. Therefore we had .asc whitelisted for them
which overrides our banned attachment rules (including .js).

The problem with that javascript-virus.js file is that the file(1) utility
detects it as ASCII text which amavisd-new internally translates to .asc.
(see $map_full_type_to_short_type_re in amavisd)

-> So while .js is blocked, the .asc part overrides it.

Increase the $log_level of amavisd-new and then you can see it in the
verbose log messages. I was surprised to find a .js file in my INBOX this
morning, too :)

HTH,
Thomas

Loading...