Topic: New Howto: Stop receiving "bad" attachments -Teste

[loveless]

I'm looking for a few testers.  You need to have procmail installed (is part of the user-panel).  If you've got SpamAssassin running, that's cool... but isn't necessary.

I've created a custom procmail template fragment that will scan each message.  If it finds an attachment of file type X, the message gets moved to an IMAP folder called "bad-attach".  The user then gets an e-mail telling them that a message was blocked and how to retrieve it.

I've been running on my account without any trouble.  I'll be activating it for my whole server tonight.

Let me know what you think.

http://www.tech-geeks.org/contrib/loveless/bad-attach/


I know there are a couple other options out there for removing attachments, but I think this seems to work best for me.

Thanks,
Abe

[loveless]

I just received a notice that when used on SME 6.0, you get caught in a message loop... that fills your inbox.  So, don't use on 6.0... yet.

For now, I've only tested on v5.6.

I'll try to have one ready for 6.0 next week.

[Anonymous]

Just a suggestion.
Could you make it possible to REJECT mails with selected attachment file types - ex. EXE, PIF, COM, VBS, BAT, CMD, DLL

These types of attachments is 99,9% of all virus mails.

And perhaps an option to reply to the sender that the mail was rejected, and has to be encoded to zip/rar format if the receiver should be able to receive the mail.

Best regards
Anders

[loveless]

Just a suggestion.
Could you make it possible to REJECT mails with selected attachment file types - ex. EXE, PIF, COM, VBS, BAT, CMD, DLL

These types of attachments is 99,9% of all virus mails.

And perhaps an option to reply to the sender that the mail was rejected, and has to be encoded to zip/rar format if the receiver should be able to receive the mail.

I'll see what I can do.  That shouldn't be too hard to add.  I'll post it back here in a couple of days.

Thanks for the feedback!

[loveless]

Ok, my bad-attach contrib has tested correctly on my SMEServer v6.0 test box.

http://www.tech-geeks.org/contrib/loveless/bad-attach/

Get the newer one.

I also give you a few more options than were previously available. Now you can:

1. Choose to forward a notice to admin (only message headers, now)
2. Choose to send a notice to recipient, or not
3. Edit the message that goes to the recipient
4. Choose to move bad message to "bad-attach" directory, or just drop it.
5. Choose SME Server v5.x or 6.x
6. Modify the file types to be blocked.

Let me know how you get along.


Note: I've been running a variation of this since late last week. I've been seeing a lot of messages that are getting blocked that maybe shouldn't For instance, it blocks a lot of mailings from Ebay because it detects a .com attachment... but I haven't been able to find the attachment. The messages do have a ton of html code in them, so who knows what they're actually doing. I'll keep looking for a way to de-sensitize it, though.

[tobyk]

Hi this looks great. I was wondering if this can be configured if you have no local users on the box as the procmail is a per user thing (if i understand correctly). I have setup a box with spamassassin/clamav that checks mail and forwards it to one of our exchange servers. Although 100s are blocked some viruses are still getting past and getting blocked by NAI Groupshield which i still have in place. These are evil attachments such as PIF etc which have no valid use and Groupshield drops. I would like to do this however without the large NAI license fees. Thanks in advance

Toby

[loveless]

Toby,

I'm afraid not.  You're right, it is based on the user.  But, I have since switched my server to Craig Foster's MessageWall contrib.

http://mirror.contribs.org/smeserver/contribs/cfoster/beta/messagewall/

He says not to use it, but it's been working great for me.  I scaled it back, so pretty much all it does (for me) is block bad attachments and check the DNSBL for known spammers.  I'm running it on SME v5.6.  MessageWall blocks at the SMTP level, so anything coming into the box will get scanned... which sounds like it might be just what you need.

Let me know if you run into config trouble, I did need to do some tweaks for my situation (many domains and many local networks).

[raem]

Dear Guest

> Could you make it possible to REJECT mails with
> selected attachment file types - ex. EXE, PIF,
> COM, VBS, BAT, CMD, DLL
> These types of attachments is 99,9% of all virus mails.
> And perhaps an option to reply to the sender that the mail was rejected

Without wanting to detract from the work Abe is doing, have you all looked at executable content blocking, as implemented by Gordon Rowell see

http://lists.contribs.org/mailman/public/devinfo/msg07431.html

and
http://lists.contribs.org/mailman/public/devinfo/msg07511.html

Make sure you read all the posts as they cover the initial development and newer releases.


It blocks mesaage attachments with (Windows) executable files which as "Guest" suggests cover 99% of viruses.
Even though the virus infected file purports to be a bat, pif or whatever, they are still executable and therefore the message gets blocked. And yes it does send a "Sorry we don't accept messages with executable content" message to the sender (who is often bogus anyway).

The method is called Pattern Matching, I have had it running on my server for a few weeks now and virus detection is virtually zero. I have had 1 virus detected in the last 3 weeks by Clamavis, whereas previously there would have been many hundreds detected.

The only price you pay is that you cannot send legitimate *.exe files or *.zip v1 format files (which is an old format), you have to zip them (in v2 zip format, modern format).

It works very well. I believe Gordon is working to add more functionality to include the ability to select any/all types of files to be blocked or allowed.

For now, the currently available contrib does a fantastic job at stopping virtually all viruses in email attachments.

I do have a draft howto prepared but not yet released, coming soon.

Regs
Ray

[loveless]

Hey Ray,

I saw a few of those posts and was wondering how that was coming along.

I'd sure be willing to try it, but now that my main server is running so well... I just hate to screw with it.  

It's good to hear some positive feedback on it.

Later,
Abe

[gsiegel]

It's good to hear some positive feedback on it.

My experience parallels Ray's. I've been using this since it first hit the mirrors. I went for 25-100 virus/worms per day to only getting one since I started using the patterns, and the pattern that allowed that one through has been corrected.

I had tried various custom procmail rules, checkhab, procmail sanitizer and anything else I could find, but all of these let viruses through and occasionally blocked attachments that I had to have. Gordon's contrib has worked flawlessly other than the one pattern that needed fixed.

[raem]

The Virus and file blockinmg HOWTO is now available see

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

Happy using
Regs
Ray

[albatroz]

I can´t find this URL, does anyone knows about any update?

http://www.tech-geeks.org/contrib/loveless/bad-attach/

BTW, I alreay have dungog procmail-based mail filtering contrib, so I was wondering if I could place a pattern matching rule inside it. What do you think?

[raem]

Search and you would have found !
http://mirror.contribs.org/smeserver/contribs/aloveless/contribs/bad-attach/

[raem]

albatroz
> I alreay have dungog procmail-based mail filtering > contrib, so I was wondering if I could place a
> pattern matching rule inside it.

The Patterm matching contrib blocks incoming mail so it never enters the server.
Procmail filters at the end of the chain when about to be delivered to the user account.
They are completely different.

[Jon_Reynolds]

Ray is correct. The Pattern matching is stopped at the smtp level so your server doesn't have to process the message, which saves cpu cycles, which is nice. I have been using this contrib since I found it. Russell Nelson is the guy that created it and you can find more information about it on the qmail.org site.

Ray, thank you for the time and effort you put forth for this project. Your efforts do not go unappreciated.

Thank you,

Jon