Topic: Executible attachments patterns used by the email file attachments blocker

[brianr]

Can someone point me to something I can read so that will tell me how the patterns in the Email Settings/Email Filters Server Manager page work and can be produced?

We recently had a "zip" file come through that turned out to be a scr file masquerading as a pdf file.  It left us with a small visitor on the PC!

Cheers  Brian

[Stefano]

http://wiki.contribs.org/Virus:Email_Attachment_Blocking

HTH

[brianr]

http://wiki.contribs.org/Virus:Email_Attachment_Blocking

HTH

yes, just what I needed - many thanks.

[janet]

brianr

Some new zip signatures were added to the underlying code recently, perhaps you need to enable those in server manager Email panel.
If you find new signatures, please raise a bug report so they can be added to the mail patterns database.

[Stefano]

an idea could be to share (we should study a way) signatures.. like AV ones

[janet]

Stefano

an idea could be to share (we should study a way) signatures.. like AV ones

Well lodging a new feature request in bugzilla & submitting a new signature would get those signatures into the mail patterns database.
File types do not change often, so it is not a situation like AV where daily signature updates are needed.
Those recent zip file signatures were the first ones I was aware of in many years.

[Stefano]

I had a cryptolocker email last week.. attach was a .cab file

[janet]

Stefano

I am not sure of the point you are making.
If you do not want to receive .cab files, then block them by creating a mail pattern & add it to your servers database.

I had a cryptolocker email last week.. attach was a .cab file

[brianr]

brianr

Some new zip signatures were added to the underlying code recently, perhaps you need to enable those in server manager Email panel.
If you find new signatures, please raise a bug report so they can be added to the mail patterns database.

I do have all the patterns enabled already on this system. I'll certainly do as you say if something useful emerges.

[brianr]

Added bug as follows with new mail pattern.

http://bugs.contribs.org/show_bug.cgi?id=8833

[raem]

brianr

Added bug as follows with new mail pattern.
http://bugs.contribs.org/show_bug.cgi?id=8833

Well I just checked bug 8717 & bug 8718 and that signature (or a shorter version of it)
UEsDBBQDA
was already added to the mailpatterns database

Bug 8718 was verified & fixed in
e-smith-email-5_4_0-9_el6_sme sme9

It looks like that rpm is still sitting in smeupdates-testing repo
http://distro.ibiblio.org/smeserver/releases/9/smeupdates-testing/i386/RPMS/


Bug 8717 was verified & fixed in
e-smith-email-5_2_0-26_el5_sme sme8

It looks like that rpm is still sitting in smetest repo
http://distro.ibiblio.org/smeserver/releases/8/smetest/i386/RPMS/

Looks like the next step(s) to move these to the smeupdates repo never happened.

You could install the e-smith-email rpm from the repo mentioned above & see how you go, you will get an extra signature as well
UEsDBBQAC

For sme9 do
yum update e-smith-email --enablerepo=smeupdates-testing
signal-event email-update

[brianr]

For sme9 do
yum update e-smith-email --enablerepo=smeupdates-testing
signal-event email-update

and for SME8:

yum update --enablerepo=smetest e-smith-email