Topic: Blocking exe/com/vbs/scr/... attachment on e-mail

[Jáder]

I´m trying to get some way to block dangerous extensions as attachments on my e-mails:
I´ve tryied to use:
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

but I´m getting this errors...
[root@panda block-ext]# rpm -Uvh *.rpm
error: failed dependencies:
        perl-perl-ldap >= 0.31-1 is needed by e-smith-email-4.15.0-07gr07
        perl-Net-Server >= 0.85-1 is needed by e-smith-email-4.15.0-07gr07
        sortspam >= 1.1.0-02 is needed by e-smith-email-4.15.0-07gr07
[root@panda block-ext]#

and, I think can exist an easy way... just block them at procmail maybe!

Anyone has an idea!

Jáder

[raem]

Gordon Rowell recently updated the contrib and it requires some newer rpms (dependencies). I have not updated the HOWTO to reflect this just yet.

perl-perl-ldap
perl-Net-Server
sortspam

You can get even newer versions of the rpms from
ftp://ftp.ibiblio.org/pub/linux/distributions/e-smith/devel/RPMS/i386/

Install them with rpm -Uvh *.rpm

and then install the patterm matching contrib.

It does work very well, my clamavis has caught no viruses for many weeks now as they have all been rejected by the pattern matching contrib.

[wellsi]

It does work very well, my clamavis has caught no viruses for many weeks now as they have all been rejected by the pattern matching contrib.

I have also seen this, and wonder if ClamAV is even needed anymore when using this. I occasionally check the headers to ensure that it is still active as I no longer  get any viruses being caught by ClamAV.

Another thought that I had was that should the emails be  rejected (as at the moment) or quarantined in a similar way to the ClamAV's contrib. Is there any benefit in actually rejecting them?

[Jáder]

Hi

Thanks by your help. I got mine working!
I have one doubt: what patterns are you using?

I´d like to block all DANGEROUS files (VBS,SCR,EXE,COM) + all "not working" type of files (MP3, MPG, AVI, PPS, PPT).

And one question: How to control what happen to e-mail... what is answered back to user?

Thanks!

Jáder

[raem]

jader

> I have one doubt: what patterns are you using?

Why is that a doubt ? The default ones work fine and cover most standard situations for stopping viruses, plus a couple of others I am testing.

> I´d like to block all DANGEROUS files (VBS,SCR,EXE,COM)

I think you have missed the point, you probably are already blocking all of those (except perhaps for VBS).
The default installation blocks executable content whatever the filename is. The contrib is not blocking filenames, it is blocking any identifiable (ie known) executable content, and that can be in files that happen to have any filename. By default all Windows type executable files start with  certain patterns, and it is those patterns which are being blocked, plus  a few other common patterns known to be used by viruses writers.

You can test files of a certain type to determine their "pattern" and then see if that pattern is one of those being blocked, that will tell you if VBS file are already being blocked or not.
The full details are in the HOWTO.

> + all "not working" type of files (MP3, MPG, AVI, PPS, PPT).

The HOWTO has quite specific information on how to go about creating your own "patterns" based on common non executable file types. Some examples are given, but these may not necessarily cover all possible occurrences of files for mpg or avi etc. More testing is needed for the extra example patterns given in the HOWTO. You need to create and test to see if they do what you want.
Please let me know if you come up with some more/better standard patterns for non executable file types, I will add them to the HOWTO.


> And one question: How to control what happen to e-mail... what is answered back to user?

That's easy, just send yourself an email with an attached exe file, you will receive the bounce message.

[raem]

Hi Ian
Good work you are doing with the Documentation side of contribs.org.

> I ........ wonder if ClamAV is even needed anymore when using this.

Yes some type of AV scanner is still needed although as a second line of defence, any new viruses will be added to the definitions list by the Clam team and clamavis will detect these when they are not detected by the pattern matching contrib (as those paterns are not yet in the pattern matching database).

If a new common pattern is determined then that should ultimately be added to the pattern matching database. So far this has not been necessary, but it probably will be needed over time.


>.......should the emails be  rejected or quarantined..........Is there any benefit in actually rejecting them?

That's the whole idea of pattern matching rejection at the smtp level. The message is not processed by the system, reducing processor overhead and memory demands. They are rejected outright, so there is nothing to quarantine and nothing to process.

[Jáder]

Ray

>> I have one doubt: what patterns are you using?
>Why is that a doubt ? The default ones work fine and cover most standard situations for stopping viruses, plus a couple of others I am testing.

OK! But I´d like to block other extensions than those associated with virus.


>> I´d like to block all DANGEROUS files (VBS,SCR,EXE,COM)
>I think you have missed the point, you probably are already blocking all of those (except perhaps for VBS).

OK! Great news! I´ll try to use your howto to generate a way to block VBS files ASAP!

>> + all "not working" type of files (MP3, MPG, AVI, PPS, PPT).

> Please let me know if you come up with some more/better standard patterns for non executable file types, I will add them to the HOWTO.

I´ll post results in a week... after some tests!

>> And one question: How to control what happen to e-mail... what is answered back to user?
>That's easy, just send yourself an email with an attached exe file, you will receive the bounce message.

I´m testing this on a client using fetchmail to get his email (multidrop) and I never got back any message! Maybe I have done something wrong... because I can see the messages on log file!

[raem]

jader

> I´m testing this on a client using fetchmail

Pattern matching relies on smtpfront-qmail to collect mail. I don't think it works if you use fetchmail.

You can set up a free domain from dyndns (& others) and use smtp (standard) to collect mail and then avail yourself of the pattern matching and RBL list blocking features.

[Jáder]

> Pattern matching relies on smtpfront-qmail to collect mail.
> I don't think it works if you use fetchmail.


I still cannot garantee you... but I think it will block... silently... without notice.

I´ll change this client to SMTP (:25) asap.

Thanks!

Jáder

[raem]

Ian

>....and wonder if ClamAV is even needed anymore when using this.

Having a scanner on your system like Clamavis, especially if it is set to scan outgoing messages, will also prevent virus spread from "internal" LAN infections.
Although pattern matching also scans outgoing messages as well, a scanner that is updated automatically like Clamavis will still catch new viruses that are not identified by pattern matching, if they should occur.

I personally think it's a good idea to keep Clamavis or similar functioning on your server. It's a second defensive system if viruses get through the first line of defence.

[wellsi]

Well for the first time in many, many months a virus made it through to ClamAV

Detected: Virus found: Trojan.JS.RunMe

So it re-inforces the message that a virus scanner is required as a 2nd line of defence.

It might be worth noting that for this virus ClamAV beat the bigger names to protecting against it.

Regarding fetchmail, it can be used to inject the email into the smtpfront queue and therefore can work.

I currently use multipop as on a dynamic IP so have to use fetchmail AFAIK.