Koozali.org: home of the SME Server

block iso email attachment

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #30 on: May 29, 2019, 11:12:11 PM »
SchulzStefan

Why ?
What is your reason, is it a technical  reason, & if so, what ?


To what size & which setting or settings ?
Has that helped stop iso & img attachments ?

Janet,

the reason are the users. They click on every attachment. Download is starting, click again, there you go, it's an dot.exe, inside virus, malware, whatever. The attachment of the email is a file ending as an iso. It's of course *not* an iso, it's whatever. I don't want to know... I just want to block those emails.

No, emails are flowing in in different sizes, small, few hundred kB... Unfortunately no help.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #31 on: May 29, 2019, 11:19:40 PM »
Here are some details on how to block by filetype using spamassassin.

1. Review your current spamassassin settings in case you want to revert them.
Make sure that status=enabled and RejectLevel" is a positive non-zero number that is smaller than the custom score we will assign later.
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=12.00
    DNSAvailable=yes
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=50
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=disabled
    TagLevel=5
    UseBayes=1
    status=enabled


To set the values shown above:
Code: [Select]
config setprop spamassassin RejectLevel 50
config setprop spamassassin status enabled

2. Create a custom template fragment for spamassassin
This example will block ".rtf", ".iso" and ".img". 
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
echo '# 80custom_rules
mimeheader MIME_FAIL   Content-Type =~ /\.(rtf|iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95' > 80custom_rules

3. Activate
Code: [Select]
signal-event email-update

4. Monitor
Note the score is around the value we specified in our custom rule - 95 in this example (it will be slightly higher or lower depending on the results of the other tests that spamassassin has applied):
Code: [Select]
# tail -f /var/log/qpsmtpd/current |tai64nlocal |grep logterse
2019-05-29 09:12:30.238271500 23921 (deny) logging::logterse: ` 209.85.167.179 mail-oi1-f179.google.com mail-oi1-f179.google.com <mmccarn@myotherdomain.org> <mmccarn@mmsmeserver.tld> spamassassin 901 spam score exceeded threshold Yes, score=95.9 required=5.0 autolearn=disable


If something is misconfigured, all email will be blocked


To revert these changes:

1. Restore spamassassin to its original configuration (you made notes in step 1, right?)
2. Delete the custom template fragment and reconfigure email
Code: [Select]
'rm' /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/80custom_rules
signal-event email-update

Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses".  I disabled clamd using config setprop clamd status disabled.  I don't know if this is related to these notes, or to another issue with my server.

mmcarn,

here's what I did:

1.)
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=6.00
    DNSAvailable=yes
    MaxMessageSize=2000000
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=9
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=enabled
    TagLevel=4
    UseBayes=1
    status=enabled

2.)
less /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores

3.)
mimeheader MIME_FAIL   Content-Type =~ \.(iso|img|ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|reg)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95

I renamed a pdf to an iso file and sent this to my server. The email was rejected. Seems to work. Emails with other attachments are coming in, I got no complaints so far.

I'll report if I stumble over not seen issues so far.

Thanks to everybody sharing this thread.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,854
  • +5/-0
Re: block iso email attachment
« Reply #32 on: May 30, 2019, 03:02:23 AM »
Don't forget the huge gaping flaw in your plan Stan.

Quote
I renamed a pdf to an iso file and sent this to my server. The email was rejected.

Convert to:

Quote
I renamed a ISO to a PDF file and sent this to my server, and it went through quite happily and my server and I never noticed a thing..... until I was relaxing having a nice beer one day knowing how safe I was when some bad person sent a sneaky EXE that some user got tricked into saving and opening and it's wiped out all the desktops.....

If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.

Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.

(Just trying to save you from yourself here)

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #33 on: May 30, 2019, 12:30:27 PM »
Don't forget the huge gaping flaw in your plan Stan.

Convert to:

If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.

Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.

(Just trying to save you from yourself here)

ReetP

Of course you're right. All viruses in attachments (or even stupid links in emails clicked by users) not known to clamav or to any virus-scanner working on the workstations, will cause damage.

And yes - I'm paranoid with my data.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #34 on: May 30, 2019, 01:32:59 PM »
SchulzStefan

Quote
And yes - I'm paranoid with my data.

So from your earlier responses your real target is viruses & executable content in email message attachments.

Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.

That blocks the majority of viruses sent by email in my experience.

Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline ReetP

  • *
  • 3,854
  • +5/-0
Re: block iso email attachment
« Reply #35 on: May 30, 2019, 03:51:38 PM »
And yes - I'm paranoid with my data.

In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.

(And I am really trying to help you here - I don't want to see you get hacked!)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #36 on: May 30, 2019, 10:43:30 PM »
SchulzStefan

So from your earlier responses your real target is viruses & executable content in email message attachments.

Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.

That blocks the majority of viruses sent by email in my experience.

Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.

Janet,

executable content is already enabled. We do use dropboxes for big data.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #37 on: May 30, 2019, 11:03:15 PM »
In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.

(And I am really trying to help you here - I don't want to see you get hacked!)

ReetP,

thank you for your hints and thoughts. I'm certainly not the only one thinking about a safer IT.

Therefore I use a hardware-firewall (opnsense) in front of the (server-only) smeserver. Don't get me wrong - I don't want to start a discussion about internal or external firewalls. The firewall is modded with all security addons (internal and external net) which are available as addons. Til today (doing IT since 1981) I never have been hacked (or should I better say, didn't realise, that I'm already hacked?). I try to take very carefully care of logs, internal and external traffic, sources, domains, IP's, etc.

I'm doing twice a day backups - one USB and one AFFA-server is running all time with the smeserver. I know what it means to a company, if your IT does not work.

Nevertheless I don't want to spend time for the above mentioned attachments. If any sender of an email with an attachment defined to block, it's one email less to care about. Because it's blocked.

I do know about viruses in PDF, ZIP, RAR, EXE, DOCX, and so on. There's still enough to take care about. And IMVHO (sorry for my paranoia), I think all this is getting worser in future. I know blocking attachments cannot be the all-incl-insurance. This was never my intention.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,854
  • +5/-0
Re: block iso email attachment
« Reply #38 on: October 04, 2024, 12:49:59 AM »
Here are some details on how to block by filetype using spamassassin.

Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses".  I disabled clamd using config setprop clamd status disabled.  I don't know if this is related to these notes, or to another issue with my server.

Mike, I am trying to clear up some issues for v11.

Any more experiences on this either on v10 or a v11?

https://bugs.koozali.org/show_bug.cgi?id=10779

Thanks.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation