Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Custom ACL False Positives

Discussion in 'Security' started by jayharland, Mar 21, 2017.

  1. jayharland

    jayharland Active Member

    Apr 18, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner
    Recently I've implemented a solution to prevent executable within archived files. This also is looking for executable attachments.

    It was not something I wrote personally, but was able to get working on my server.

    The issue I'm having now though is some users are reporting false positives when sending from Outlook. The message they are getting indicates it's with the first portion of the ACL looking for forbidden attachments:

    WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs
    COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
    BINFORBIDDEN = Windows-executable attachments forbidden

    deny message = BINFORBIDDEN
    log_message = forbidden attachment: filename=$mime_filename, \

    content-type=$mime_content_type, recipients=$recipients
    condition = ${if or{\

    I'm unable to find the cause of this, though I've found that removing the way Outlook has cached the email and re-entering it fixes the problem.

    For example, Outlook might have the email saved as "'Person Name' <>;" which would cause a fail, and yet emailing ";" would not.

    That being said, I'd like to know what is causing this. At first I suspected it had to do with characters in the email address, especially the presence of single quotes, but alas, the second user to report this issue doesn't have any quotation marks in the address.

    I could not reproduce these false positives unless I copied and pasted the address from their computer to my own (via remote session). If I tried to hand type the email address, matching each character, it would be delivered just fine.

    Crazy right, any idea why it's seeing some email addresses as harmful attachments?
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    You may want to manually remove specific extensions from the filter rule and keep reproducing the issue in order to narrow down which specific part of the custom rule is the culprit, or to determine which file extension Outlook is triggering.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice