Koozali.org: home of the SME Server

block iso email attachment

Offline SchulzStefan

  • *
  • 620
  • +0/-0
block iso email attachment
« on: May 20, 2019, 04:28:36 PM »
We see a lot of email attachments like *.img and *.iso from untrusted sources.

Is there an easy way to block those emails?

Thanks for any reply,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #1 on: May 20, 2019, 08:03:11 PM »
Googling around leads to this approach:

In /etc/mail/spamassasin/local.cf adding the lines:

mimeheader MIME_FAIL   Content-Type =~ /\.(iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   5

Would this do the trick?
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #2 on: May 20, 2019, 08:11:13 PM »
SchulzStefan

The server manager Email panel for Executable content blocking may help you.
If those formats are not blocked using any of the standard available file types (that are in the selection list), then you can create your own file "magic" for img & iso using the steps outlined in the latter section of this Howto:
https://wiki.contribs.org/Virus:Email_Attachment_Blocking
Let us know your results.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #3 on: May 20, 2019, 08:18:29 PM »
Janet,

I read the wiki about creating own magics. I'm looking for a fast and easy way. Seems much more easy to me to template the local.cf if this approach works. Therefore my question, will this work? Of course, I'll try it for my own. I implemented this already and restarted qmail and spamd. I'll report.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #4 on: May 20, 2019, 10:12:52 PM »
Googling around leads to this approach:

In /etc/mail/spamassasin/local.cf adding the lines:

mimeheader MIME_FAIL   Content-Type =~ /\.(iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   5

Would this do the trick?

Negative.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline Jean-Philippe Pialasse

  • *
  • 2,853
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: block iso email attachment
« Reply #5 on: May 21, 2019, 12:05:17 AM »
Try a 95 score


This needs to have spamassassin enabled

and sorting to spam folder Enabled if reject score not reached.
Also 5 might be reduced under 4 with orher positive filter and might show the mail.

The mime type filter might be more effective to block

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #6 on: May 21, 2019, 08:21:36 AM »
SchulzStefan

"I read the wiki about creating own magics. I'm looking for a fast and easy way."

It does not take long to run the file.exe command against a few different iso & img files to find the magic, say 10 minutes.
Then add another 10 mins to add that magic to the database & it's done.

You have probably spent more time than that on other non successful methods.

Remember that pattern matching rejects the email message, whereas spamassassin accepts the email message & moves it to the junkmail folder, thus still consuming download bandwidth.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline mmccarn

  • *
  • 2,649
  • +10/-0
Re: block iso email attachment
« Reply #7 on: May 21, 2019, 02:18:51 PM »
I, too, have long wished for an easier way to block emails by attachment type on SME servers - and I've never felt like I understand the mailpattern system.

I usually end up looking for another way to do the same thing:
* Are the sending IPs listed in a DNSBL service I can configure?
* Can the unwanted emails be blocked by the helo, rhsbl, or badmailfrom plugins?
* Will they be blocked if I turn on Bayesian filtering and autolearning?
* (as suggested) Can I create a custom spamassassin rule?



This code should find every email received in the last one day ("-ctime -1") with an iso or img attachment - you could then examine those emails for other blockable characteristics, or delete them using a scheduled script:
Code: [Select]
find /home/e-smith/files/users/ -type d -name Maildir |while read maildir
do
  find "$maildir" -type f -name "*.$(config show ServerName)*" -ctime -1 -exec grep -l "Content-Disposition: attachment; filename=.*\.[iso|img]" "{}" \;
done

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #8 on: May 23, 2019, 09:28:02 PM »

It does not take long to run the file.exe command against a few different iso & img files to find the magic, say 10 minutes.
Then add another 10 mins to add that magic to the database & it's done.

I don't understand - *every* attachment is different.


Remember that pattern matching rejects the email message, whereas spamassassin accepts the email message & moves it to the junkmail folder, thus still consuming download bandwidth.

That's correct.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #9 on: May 23, 2019, 09:30:26 PM »
I, too, have long wished for an easier way to block emails by attachment type on SME servers - and I've never felt like I understand the mailpattern system.

I usually end up looking for another way to do the same thing:
* Are the sending IPs listed in a DNSBL service I can configure?
* Can the unwanted emails be blocked by the helo, rhsbl, or badmailfrom plugins?
* Will they be blocked if I turn on Bayesian filtering and autolearning?
* (as suggested) Can I create a custom spamassassin rule?



This code should find every email received in the last one day ("-ctime -1") with an iso or img attachment - you could then examine those emails for other blockable characteristics, or delete them using a scheduled script:
Code: [Select]
find /home/e-smith/files/users/ -type d -name Maildir |while read maildir
do
  find "$maildir" -type f -name "*.$(config show ServerName)*" -ctime -1 -exec grep -l "Content-Disposition: attachment; filename=.*\.[iso|img]" "{}" \;
done

Aha. Seems I'm not the only one thinking about an easy way to block any attachment you want.

I'll give the script a try.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #10 on: May 24, 2019, 12:19:08 AM »
SchulzStefan

Blocking by filename type (suffix) is flawed, as files can be an exe or zip or whatever else type content but be named *.txt, thus avoiding detection.

Quote
I don't understand - *every* attachment is different.

Well so you claim.
In plain english, in most cases though, files of a certain format, say zipv1, have a common set of characters at the very beginning of the file "code", this is known as the "magic" or "signature" or "pattern", & is usually 9 characters or more that are identical in "every" zipv1 file.
The same concept applies to zipv2 & exe & other file formats, they all have a unique & identical set of characters at the beginning of the file, which is identical for each specific file format type.

The neat aspect of file pattern matching is that the file can have a false name, say filename.txt, but if it is actually a zipv1 or exe format file, then the pattern matching will detect & reject it. A false name cannot trick or fool the pattern matching filter, as it examines the file content rather than the file name.

So as no specific pattern is listed in the SME server database for iso & img files, you will need to determine what the pattern or magic is, add it to the mailpatterns database & select that option in server manager.

The full instructions are in the Howto & while appearing to be complex, it is fairly straightforward if you follow the step by step instructions (ie the section about determining the magic & creating a database entry).

I do not personally know for sure if there are common patterns for all variants of iso & img files, that is why you would need to run the commands described in the Howto against a few different iso & img files.
« Last Edit: May 25, 2019, 01:33:57 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #11 on: May 24, 2019, 12:29:30 AM »
SchulzStefan

From the Howto article are these extra patterns you can add. They may catch some of your unwanted img files as they detect content rather than filename.

Extra patterns
Extra patterns not included in the default database that may be enabled if required for blocking of multimedia files etc (long & short versions listed)

Important.png   Note:
These have not been thoroughly tested and may need further refinement to ensure they accurately represent the signature pattern for all occurrences of the particular file type

SCR screen saver files - MS-DOS executable (EXE)

Example: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Pattern: TVqQAAMAAA
PIF1 - data

Example: AHhUYXggMTk5OCAgICAgICAgICAgICAgICAgICAgICCAAgAAWTpcSFNPRlRcSFQ5OFxIVDk4LkVY
Pattern: AHhUYXgg
PIF2 - data

Example: AMlIbDk5LmV4ZSAgICAgICAgICAgICAgICAgICAgICCAAIAAVDpccHJpdmF0ZVxIc29mdFxITFxI
Pattern: AMlIbDk5Lm
PIF3 - data

Example: AHhIYW5kaVJlZ2lzdGVyIDIwMDAgICAgICAgICAgICCAAgAAWTpcSHNvZnRcSFJcSFIwMC5FWEUA
Pattern: AHhIYW5k
WAV sound file - data

Example: UklGRiRwLgBXQVZFZm10IBAAAAABAAIAgLsAAADuAgAEABAAZGF0YQBwLgAAAAAAAAAAAAAAAAAA
Pattern: Uk1GRiRwL
JPEG image data, JFIF standard 0.00, aspect ratio, 0 x 0

Example: /9j/4AAQSkZJRgABAgEBLAEsAAD/7RLSUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABABLAAAAAEA
Pattern: /9j/4AAQSkZJRg
TIF - TIFF image data, little-endian

Example: SUkqAAgAAAAQAP4ABAABAAAAAAAAAAABAwABAAAAJgMAAAEBAwABAAAAQAUAAAIBAwADAAAAzgAA
Pattern: SUkqAAgAAAA
PPT powerpoint presentation -Microsoft Office Document

Example: 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAADEAwAAIRgBAAAAAAAA
Pattern: 0M8R4KGxGuEA
WMV Windows Media Player video file - Microsoft ASF

Example: MCaydY5mzxGm2QCqAGLObH8PAAAAAAAACwAAAAECodyrjEepzxGO5ADADCBTZWgAAAAAAAAAeeIB
Pattern: MCaydY5mzxGm
MPG mpeg1 video file - MPEG system stream data

Example: AAABuiEAAQAHgCgdAAABuwAMgCgdBeH/4OAuwMAgAAAB4AfcYC4xAAGMUREAAXAxAAABsxYBIIME
Pattern: AAABuiEAAQAHg
M2P mpeg2 video file - MPEG system stream data

Example: AAABukQABAAGBQFG//gAAAG7AAyAo38F4X/g4OfAwCAAAAHgB9qAwQ0xAAG2QxEAAZojHmDnAAAB
Pattern: AAABukQABAAGB
AVI video file - RIFF (little-endian) data

Example: UklGRpC0qQBBVkkgTElTVDYBAABoZHJsYXZpaDgAAABAnAAA5MJnAAAAAAAQAAEAWggAAAAAAAAC
Pattern: UklGRpC0qQBB
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #12 on: May 24, 2019, 12:35:27 AM »
SchulzStefan

From the Howto.

Determining file pattern, signature or magic
To find out what the pattern or signature or magic for a file is, it needs to be run through a base64 encoding routine and the appropriate strings determined from the first line of the output. That is, for "sane" files which have "magic" numbers at the start. The file can also be decoded to find out what type of it is. Published file specifications (where available) could also be referred to.

Copy a file to a folder on SME Server, say filename.zip

At the command prompt do

perl -MMIME::Base64 -0777 -ne 'print encode_base64($_)' <filename.zip | head -1
This gives an output of

UEsDBAoAAQAAAMBOfzC356fxzVUAAMFVAAANAAAAZWxhaXZrZHVwLnNjckwHjDHTKYSGUE+SV
A suitable substring needs to be picked to use as the pattern for this file type, for example:

UEsDBAoAA
The pattern string needs to be long enough to avoid "false positives" and short enough to catch all of that file type. Running the above command across a few files of a particular type will usually clearly show the appropriate substring.

To find out the file type details

echo 'UEsDBAoAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/17.exe
then run "file" on the result

file /tmp/17.exe
the output is

/tmp/17.exe: Zip archive data, at least v1.0 to extract
which identifies the type of file

An alternative way of identifying the file pattern or signature for users of Clamavis-ng is to view the quarantined messages in /var/spool/amavis-ng/quarantine

Here is an extract from a quarantined infected message that mimics a zip file

File: 406a8bee~aad.msg Col 0 30787 bytes
----------mtohkeqkmfnipbfntepj
Content-Type: application/octet-stream; name="AttachedFile.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="AttachedFile.zip"
UEsDBAoAAQAAAMBOfzC356fxzVUAAMFVAAANAAAAZWxhaXZrZHVwLnNjckwHjDHTKYSGUE+SV1OwspplLsSWrbYvwOvHVHYOYDOiVliyLlDWU2LYVELdEiwxkwOPVsk3+m/Ddl9U56v6+tbrdXPEBTv+yEH56h/R+Bbk54hUOLieVPW61QOD7YVXZilxgCAZ+SppPxWuKv2iCBuw5qQ5N/r7CISrWWEPaAzGYwUmuERoNMEo4TFm6yV2BqBhv+Y1e/SLz30EV6anGmvwvKiWaLfcjo8sfF3UDQ203TAV33kypvZDqAsF/g3O1rvbEf+K/pZpWjOy1A5S3OWF7IKsbNxQdwqWPvuO6XS6QHwLQAF+6q4LKdUFM89j+lnKR3bXaGU3v18YN862XIeJtEqW3Ulbj8MA33IBDoTQzpYQwGQm+?????????..
So to create a new pattern for this message use

UEsDBAoAA
which is the pattern corresponding to ZIPV1 file type

UEsDBAoAA: Zip archive data, at least v1.0 to extract
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline warren

  • *
  • 293
  • +0/-0
Re: block iso email attachment
« Reply #13 on: May 24, 2019, 11:53:43 AM »
Just some observations on some file types i tested
Some files show a pattern in the magic number, others not  :?

Code: [Select]
File name magic found
boot.img 6zyQU1lTTElOVVgAAgEBAAIQAEAL8AkAEgACAAAAAAAAAAAAAAApducAQCAgICAgICAgICAgRkFU

FreePBX-32bit-10.13.66_usb.img 61iQU1lTTElOVVgAAgAAAAAAAAAAAAAAIABAAAAAAAAAgD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA



DGN2000_V1.1.8.0.img EAACeQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA




proxmox-ve_4.0-a7dc5694-9.iso RVIIAOsC//+QkJCQkJCQkJCQkJCQkJCQkJDrSSQSDwkAUr4bfDHAzRNGigyEyXUQvjl86HQB6T0B

proxmox-ve_4.4.iso RVIIAOsC//+QkJCQkJCQkJCQkJCQkJCQkJDrSSQSDwkAUr4bfDHAzRNGigyEyXUQvjl86HQB6T0B

ubuntu-18.04.1-desktop-amd64.iso RVIIAAAAkJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O


smeserver-9.2-x86_64.iso M+36jtW8AHz7/GYx22YxyWZTZlEGV47djsVSvgB8vwAGuQAB86XqKwYAAFK0QbuqVTHJMPb5zRNy

smeserver-10.0.alpha3-x86_64.iso M+2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O


super_grub2_disk_hybrid_2.00s2.iso 62OQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

kali-linux-1.0.6-amd64.iso M+2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O



Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #14 on: May 25, 2019, 01:44:48 AM »
warren

Good work
There was/is no guarantee that there is a common file magic.

"Just some observations on some file types i tested
Some files show a pattern in the magic number, others not  :?"


In that situation multiple patterns would have to be used eg isov1, isov2, isov3 etc
These 2 are possibilities:
M+2QkJCQk
RVIIAOsC/
or
RVIIA

Unfortunately I have not been able to test any iso's recently as been rather busy this week.


The original reporter SchulzStefan, could always monitor the iso's etc that he receives & creates patterns from those.
While they may not work appropriately for everyone as common patterns, they would work on his own SME server system quite well, as he wants to block all iso's, so he could just keep adding patterns for every iso file he receives.
« Last Edit: May 25, 2019, 02:07:05 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #15 on: May 25, 2019, 09:30:45 AM »

The original reporter SchulzStefan, could always monitor the iso's etc that he receives & creates patterns from those.
While they may not work appropriately for everyone as common patterns, they would work on his own SME server system quite well, as he wants to block all iso's, so he could just keep adding patterns for every iso file he receives.

That's exactly the point: I don't want to monitor emails with iso-attachments. I'd like to block any email - without any investigation - with an iso-attachment. Saying it's a company rule. Sending iso's as an email-attachment is IMVHO just nonsense. Therefore spending time for an investigation in this case is not helpful.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #16 on: May 25, 2019, 10:02:05 AM »
Has anyone tested/integrated this in the smeserver?

http://qmail-scanner.sourceforge.net/

https://www.tldp.org/HOWTO/Qmail-ClamAV-HOWTO/x179.html

If I understand correct, this should do it?

And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #17 on: May 25, 2019, 04:04:07 PM »
Your problem still remains unless you block every single attachment

cp some.iso some.jpg

Mail the jpg.....

I don't believe there is a 'one size fits all' simple solution.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #18 on: May 26, 2019, 11:19:34 PM »
Your problem still remains unless you block every single attachment

cp some.iso some.jpg

Mail the jpg.....

I don't believe there is a 'one size fits all' simple solution.

I don't get it.

Are you saying there's a solution for blocking every jpg-attachment?

Where is the problem, if I want to reject every email with an attachment which is an iso? I don't want to investigate the attachment (or the content of the email), I just want to reject the email in case, that there's an iso-attachment. I dont' want to know anything about the email nor the attachment. If the ending of the attachment is dot iso, I want this email to be rejected or quarantined. If the iso has been copied to a jpeg (or anything else) this would be another problem to me.

Question to the specialists: there's really no solution/addon for qmail  (like black- or whitelist in the server-panel) to block/reject an email with an unwanted file-suffix? It's just stupid blocking, no investigation. Email with an unwanted attachment comes in, reject. End. Nothing else.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #19 on: May 26, 2019, 11:59:42 PM »
Please don't get so hot under the collar just because no has provided you with a 'simple' solution you want (because there isn't really a 'good' simple one)

You miss my point and did not really read what I wrote.

For sure block *.iso or *.whatever

BUT. Anyone who wants to bypass it can easily change the extension.

So you block .iso

I copy somefile.iso to somefile.jpg and mail it to my friend and tell him to save it as somefile.iso

Your super blocking code is instantly rendered completely useless because it blocks .iso but allows .jpg (or whatever... don't read this literally)

So simply blocking by extension is not a foolproof solution. Why antivirus doesn't rely on it.

Hence people are trying to see if there is another method.

But it seems there is no fool proof one currently - it is a really tricky area.

If you have a way to do it then let us know.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #20 on: May 27, 2019, 12:27:14 AM »
Question to the specialists:

If you write stuff like that you may find you don't get much help.

I help fix stuff here for fun. Not abuse. I'm not trying to make fun of you. Just looking at facts.

If you want it fixed then you can:

1. Get build access and do it yourself so everyone benefits

2. Hope people like me write a patch for you. If it is actually possible.

Please, save the sarcasm, and don't bite the hand that feeds you.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,853
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: block iso email attachment
« Reply #21 on: May 27, 2019, 04:22:03 AM »
there's really no solution/addon for qmail  (like black- or whitelist in the server-panel) to block/reject an email with an unwanted file-suffix? It's just stupid blocking, no investigation. Email with an unwanted attachment comes in, reject. End. Nothing else.

regards,
stefan
this is not qmail work, this is qpsmtpd that receive emails from outside.

Reetp did answer you why this is not the solution to simply check for file extension.

nowaday most attacks will be using pdf, docx, odt and other files you can not simply bloc the extension or you will just make your user move to another service to get the file they want .

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #22 on: May 27, 2019, 11:24:58 AM »
SchulzStefan

It would be helpful to know what your real motivation is.
"Saying it's a company rule. Sending iso's as an email-attachment is IMVHO just nonsense."

Is it that you just think sending iso's is nonsense, or perhaps do you object to large attachments slowing down the mailserver.

Instead of blocking file suffix types, a workaround is that you could limit the size of emails, & anything that has a big iso or img attachment will be blocked (as well as all other attachments that are bigger than the set limit).
See the FAQ for size setting commands.
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Set_max_email_size

eg
config setprop qpsmtpd MaxScannerSize 10000000
signal-event email-update

would probably stop most iso's & img's but still allow large other types of attachments (depending on your personal interpretation of large), & depending on the setting of your other size limits.

Here is another possibility, I have not looked at it so cannot comment on effectiveness or usefulness.
https://wiki.contribs.org/Qpsmtpd:exe_filter
« Last Edit: May 27, 2019, 11:39:57 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #23 on: May 27, 2019, 10:10:38 PM »
Please don't get so hot under the collar just because no has provided you with a 'simple' solution you want (because there isn't really a 'good' simple one)

You miss my point and did not really read what I wrote.

For sure block *.iso or *.whatever

BUT. Anyone who wants to bypass it can easily change the extension.

So you block .iso

I copy somefile.iso to somefile.jpg and mail it to my friend and tell him to save it as somefile.iso

Your super blocking code is instantly rendered completely useless because it blocks .iso but allows .jpg (or whatever... don't read this literally)

So simply blocking by extension is not a foolproof solution. Why antivirus doesn't rely on it.

Hence people are trying to see if there is another method.

But it seems there is no fool proof one currently - it is a really tricky area.

If you have a way to do it then let us know.

ReetP

I didn't want to offend you or anybody else here in this forum. Sorry, if you got me wrong. I do know about the difficulties you wrote about.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #24 on: May 27, 2019, 10:20:25 PM »
SchulzStefan

It would be helpful to know what your real motivation is.
"Saying it's a company rule. Sending iso's as an email-attachment is IMVHO just nonsense."

Is it that you just think sending iso's is nonsense, or perhaps do you object to large attachments slowing down the mailserver.

Instead of blocking file suffix types, a workaround is that you could limit the size of emails, & anything that has a big iso or img attachment will be blocked (as well as all other attachments that are bigger than the set limit).
See the FAQ for size setting commands.
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Set_max_email_size

eg
config setprop qpsmtpd MaxScannerSize 10000000
signal-event email-update

would probably stop most iso's & img's but still allow large other types of attachments (depending on your personal interpretation of large), & depending on the setting of your other size limits.

Here is another possibility, I have not looked at it so cannot comment on effectiveness or usefulness.
https://wiki.contribs.org/Qpsmtpd:exe_filter

Janet

what do you mean with real motivation? I want to block any email with an iso file attached. No investigation, if the file suffix is dot iso, rejection. I simply don't want my users receiving emails with iso files attached.

I already limited the size of emails.

https://wiki.contribs.org/Qpsmtpd:exe_filter - I'll have a look into this. Until today I didn't know the existance of this... Thank you for the hint.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #25 on: May 28, 2019, 12:07:52 AM »
SchulzStefan

Quote
stefan wrote:
what do you mean with real motivation?
 I simply don't want my users receiving emails with iso files attached.

Why ?
What is your reason, is it a technical  reason, & if so, what ?


Quote
I already limited the size of emails.

To what size & which setting or settings ?
Has that helped stop iso & img attachments ?
« Last Edit: May 28, 2019, 12:23:35 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #26 on: May 28, 2019, 12:32:33 AM »
Hi michael mccarn

It seems you may have added this:
https://wiki.contribs.org/Qpsmtpd:exe_filter

Do you have any more details about usage & implementation ?
It seems similar to executable content blocking, but part of the text refers to blocking all attachments of a certain type eg zip (implies by name).

I understand this is "dumb" blocking, but it could still be useful as part of a layered protection approach.

Quote
I, too, have long wished for an easier way to block emails by attachment type on SME servers
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline mmccarn

  • *
  • 2,649
  • +10/-0
Re: block iso email attachment
« Reply #27 on: May 28, 2019, 05:45:39 AM »
Do you have any more details about usage & implementation ?

Sadly, no.  (I created the various qpsmtpd pages using 'perldoc' so I could find things in them using google)

exe_filter looked to me like another flavor of the virus filter -- it seemed to be using pattern matching rather than simple name matching.

Offline mmccarn

  • *
  • 2,649
  • +10/-0
Re: block iso email attachment
« Reply #28 on: May 29, 2019, 04:05:26 PM »
Here are some details on how to block by filetype using spamassassin.

1. Review your current spamassassin settings in case you want to revert them.
Make sure that status=enabled and RejectLevel" is a positive non-zero number that is smaller than the custom score we will assign later.
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=12.00
    DNSAvailable=yes
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=50
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=disabled
    TagLevel=5
    UseBayes=1
    status=enabled


To set the values shown above:
Code: [Select]
config setprop spamassassin RejectLevel 50
config setprop spamassassin status enabled

2. Create a custom template fragment for spamassassin
This example will block ".rtf", ".iso" and ".img". 
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
echo '# 80custom_rules
mimeheader MIME_FAIL   Content-Type =~ /\.(rtf|iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95' > 80custom_rules

3. Activate
Code: [Select]
signal-event email-update

4. Monitor
Note the score is around the value we specified in our custom rule - 95 in this example (it will be slightly higher or lower depending on the results of the other tests that spamassassin has applied):
Code: [Select]
# tail -f /var/log/qpsmtpd/current |tai64nlocal |grep logterse
2019-05-29 09:12:30.238271500 23921 (deny) logging::logterse: ` 209.85.167.179 mail-oi1-f179.google.com mail-oi1-f179.google.com <mmccarn@myotherdomain.org> <mmccarn@mmsmeserver.tld> spamassassin 901 spam score exceeded threshold Yes, score=95.9 required=5.0 autolearn=disable


If something is misconfigured, all email will be blocked


To revert these changes:

1. Restore spamassassin to its original configuration (you made notes in step 1, right?)
2. Delete the custom template fragment and reconfigure email
Code: [Select]
'rm' /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/80custom_rules
signal-event email-update

Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses".  I disabled clamd using config setprop clamd status disabled.  I don't know if this is related to these notes, or to another issue with my server.

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #29 on: May 29, 2019, 05:38:00 PM »
Here are some details on how to block by filetype using spamassassin.

Note to the OP - as per previous comments again this this will ONLY block attachments NAMED with an extension eg rtf|iso|img

Anyone mildly enterprising can just rename the file and it will pass regardless.

Unless a file can be pattern matched I don't think there is a "fast and easy" nor foolproof way of doing this (I don't disagree that it would be nice to be able to do it)

From earlier posts:

Quote
Sending iso's as an email-attachment is IMVHO just nonsense

It may well be. It doesn't making blocking them any easier....

Quote
Therefore spending time for an investigation in this case is not helpful

https://wiki.contribs.org/Qpsmtpd:exe_filter

Unfortunately this method appears to use the same method as the virus filter - it looks for a MIME signature as illustrated above. It still requires patterns. It may also seriously stress your server with a very large file.

"exe_filter slurps the entire email into memory and uses Email::MIME to do the mime parsing, so it's reasonably memory hungry"

So the point that janet made is you might have to roll up your sleeves and get your hands dirty and do some investigating and monitoring to start with and see if you can see any common file patterns, which is probably the most effective way of blocking attachments.

Some basic file patterns were suggested. You might need to test for more.

Whether or not there are some patterns that cover all eventualities, I don't know, but testing is the only way to find out and that would probably be your best route. From what I can see testing on a few ISOs (confirming what Warren said above)  there doesn’t seem to be much in common so I don't think this is going to work. YMMV.

The simplest thing is, as suggested, just block attachments over a certain size (and again, use something like DL for anything larger). It is what we do here where he have a lot of large artwork files coming and going.

https://wiki.contribs.org/DownloadTicketService

The only issue is the Thunderbird plugin doesn't yet work with the latest Thunderbird 0.60.x, but hopefully will before long.

Personally I wish we could block all attachments, but hey ho. Such is life.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #30 on: May 29, 2019, 11:12:11 PM »
SchulzStefan

Why ?
What is your reason, is it a technical  reason, & if so, what ?


To what size & which setting or settings ?
Has that helped stop iso & img attachments ?

Janet,

the reason are the users. They click on every attachment. Download is starting, click again, there you go, it's an dot.exe, inside virus, malware, whatever. The attachment of the email is a file ending as an iso. It's of course *not* an iso, it's whatever. I don't want to know... I just want to block those emails.

No, emails are flowing in in different sizes, small, few hundred kB... Unfortunately no help.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #31 on: May 29, 2019, 11:19:40 PM »
Here are some details on how to block by filetype using spamassassin.

1. Review your current spamassassin settings in case you want to revert them.
Make sure that status=enabled and RejectLevel" is a positive non-zero number that is smaller than the custom score we will assign later.
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=12.00
    DNSAvailable=yes
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=50
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=disabled
    TagLevel=5
    UseBayes=1
    status=enabled


To set the values shown above:
Code: [Select]
config setprop spamassassin RejectLevel 50
config setprop spamassassin status enabled

2. Create a custom template fragment for spamassassin
This example will block ".rtf", ".iso" and ".img". 
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
echo '# 80custom_rules
mimeheader MIME_FAIL   Content-Type =~ /\.(rtf|iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95' > 80custom_rules

3. Activate
Code: [Select]
signal-event email-update

4. Monitor
Note the score is around the value we specified in our custom rule - 95 in this example (it will be slightly higher or lower depending on the results of the other tests that spamassassin has applied):
Code: [Select]
# tail -f /var/log/qpsmtpd/current |tai64nlocal |grep logterse
2019-05-29 09:12:30.238271500 23921 (deny) logging::logterse: ` 209.85.167.179 mail-oi1-f179.google.com mail-oi1-f179.google.com <mmccarn@myotherdomain.org> <mmccarn@mmsmeserver.tld> spamassassin 901 spam score exceeded threshold Yes, score=95.9 required=5.0 autolearn=disable


If something is misconfigured, all email will be blocked


To revert these changes:

1. Restore spamassassin to its original configuration (you made notes in step 1, right?)
2. Delete the custom template fragment and reconfigure email
Code: [Select]
'rm' /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/80custom_rules
signal-event email-update

Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses".  I disabled clamd using config setprop clamd status disabled.  I don't know if this is related to these notes, or to another issue with my server.

mmcarn,

here's what I did:

1.)
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=6.00
    DNSAvailable=yes
    MaxMessageSize=2000000
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=9
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=enabled
    TagLevel=4
    UseBayes=1
    status=enabled

2.)
less /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores

3.)
mimeheader MIME_FAIL   Content-Type =~ \.(iso|img|ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|reg)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95

I renamed a pdf to an iso file and sent this to my server. The email was rejected. Seems to work. Emails with other attachments are coming in, I got no complaints so far.

I'll report if I stumble over not seen issues so far.

Thanks to everybody sharing this thread.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #32 on: May 30, 2019, 03:02:23 AM »
Don't forget the huge gaping flaw in your plan Stan.

Quote
I renamed a pdf to an iso file and sent this to my server. The email was rejected.

Convert to:

Quote
I renamed a ISO to a PDF file and sent this to my server, and it went through quite happily and my server and I never noticed a thing..... until I was relaxing having a nice beer one day knowing how safe I was when some bad person sent a sneaky EXE that some user got tricked into saving and opening and it's wiped out all the desktops.....

If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.

Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.

(Just trying to save you from yourself here)

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #33 on: May 30, 2019, 12:30:27 PM »
Don't forget the huge gaping flaw in your plan Stan.

Convert to:

If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.

Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.

(Just trying to save you from yourself here)

ReetP

Of course you're right. All viruses in attachments (or even stupid links in emails clicked by users) not known to clamav or to any virus-scanner working on the workstations, will cause damage.

And yes - I'm paranoid with my data.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #34 on: May 30, 2019, 01:32:59 PM »
SchulzStefan

Quote
And yes - I'm paranoid with my data.

So from your earlier responses your real target is viruses & executable content in email message attachments.

Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.

That blocks the majority of viruses sent by email in my experience.

Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #35 on: May 30, 2019, 03:51:38 PM »
And yes - I'm paranoid with my data.

In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.

(And I am really trying to help you here - I don't want to see you get hacked!)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #36 on: May 30, 2019, 10:43:30 PM »
SchulzStefan

So from your earlier responses your real target is viruses & executable content in email message attachments.

Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.

That blocks the majority of viruses sent by email in my experience.

Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.

Janet,

executable content is already enabled. We do use dropboxes for big data.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #37 on: May 30, 2019, 11:03:15 PM »
In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.

(And I am really trying to help you here - I don't want to see you get hacked!)

ReetP,

thank you for your hints and thoughts. I'm certainly not the only one thinking about a safer IT.

Therefore I use a hardware-firewall (opnsense) in front of the (server-only) smeserver. Don't get me wrong - I don't want to start a discussion about internal or external firewalls. The firewall is modded with all security addons (internal and external net) which are available as addons. Til today (doing IT since 1981) I never have been hacked (or should I better say, didn't realise, that I'm already hacked?). I try to take very carefully care of logs, internal and external traffic, sources, domains, IP's, etc.

I'm doing twice a day backups - one USB and one AFFA-server is running all time with the smeserver. I know what it means to a company, if your IT does not work.

Nevertheless I don't want to spend time for the above mentioned attachments. If any sender of an email with an attachment defined to block, it's one email less to care about. Because it's blocked.

I do know about viruses in PDF, ZIP, RAR, EXE, DOCX, and so on. There's still enough to take care about. And IMVHO (sorry for my paranoia), I think all this is getting worser in future. I know blocking attachments cannot be the all-incl-insurance. This was never my intention.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: block iso email attachment
« Reply #38 on: October 04, 2024, 12:49:59 AM »
Here are some details on how to block by filetype using spamassassin.

Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses".  I disabled clamd using config setprop clamd status disabled.  I don't know if this is related to these notes, or to another issue with my server.

Mike, I am trying to clear up some issues for v11.

Any more experiences on this either on v10 or a v11?

https://bugs.koozali.org/show_bug.cgi?id=10779

Thanks.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation