Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: willdoicu on August 19, 2016, 09:01:47 AM

Title: block mails by attachements pattern
Post by: willdoicu on August 19, 2016, 09:01:47 AM

Hello,
Last days I have some problem with a pattern which looks like this
UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC

It's a .docm attachment, it does contain a malicious macro. The problem is the "+" character in the middle of the pattern. If I try to block the hole pattern the server(SME 9.1) it won't. As a result only the characters before the "+" will work, and .xlsx files would be blocked too.
Any ideea?

Title: Re: block mails by attachements pattern
Post by: warren on August 19, 2016, 12:18:46 PM

Check this thread  : https://forums.contribs.org/index.php/topic,52217.msg268321.html#msg268321 (https://forums.contribs.org/index.php/topic,52217.msg268321.html#msg268321)

You can then block files that contain macros ( *.docm ).

I've found that if you have a block for ZIPV1 enabled , then you end up blocking ( *.docx & *.xlsx ) files , as they are basically zip files.

So remove the block for ZIPV1 .

So in server-manager remove : =>E-mail => E-mail settings => Change e-mail filtering settings => Content to block => Zip archive data, at least v1.0 to extract

Then :
Enable the checking / blocking of :  OLE2BlockMacros  via the link above :

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/clamd.conf/
cd /etc/e-smith/templates-custom/etc/clamd.conf/
nano 25OLE2BlockMacros

OLE2BlockMacros yes

Save file and exit.
signal-event post-upgrade
signal-event reboot

Title: Re: block mails by attachements pattern
Post by: willdoicu on August 24, 2016, 10:56:03 AM

ZIPV1 is blocked on my server, still .docx and .xlsx can be sent and received.
Ill try to block macros, anyway some of them are detected by clamav with the latest definition update.
Thanks!