Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: SchulzStefan on May 20, 2019, 04:28:36 PM
-
We see a lot of email attachments like *.img and *.iso from untrusted sources.
Is there an easy way to block those emails?
Thanks for any reply,
stefan
-
Googling around leads to this approach:
In /etc/mail/spamassasin/local.cf adding the lines:
mimeheader MIME_FAIL Content-Type =~ /\.(iso|img)\b/i
describe MIME_FAIL Blacklisted file extension detected
score MIME_FAIL 5
Would this do the trick?
-
SchulzStefan
The server manager Email panel for Executable content blocking may help you.
If those formats are not blocked using any of the standard available file types (that are in the selection list), then you can create your own file "magic" for img & iso using the steps outlined in the latter section of this Howto:
https://wiki.contribs.org/Virus:Email_Attachment_Blocking
Let us know your results.
-
Janet,
I read the wiki about creating own magics. I'm looking for a fast and easy way. Seems much more easy to me to template the local.cf if this approach works. Therefore my question, will this work? Of course, I'll try it for my own. I implemented this already and restarted qmail and spamd. I'll report.
regards,
stefan
-
Googling around leads to this approach:
In /etc/mail/spamassasin/local.cf adding the lines:
mimeheader MIME_FAIL Content-Type =~ /\.(iso|img)\b/i
describe MIME_FAIL Blacklisted file extension detected
score MIME_FAIL 5
Would this do the trick?
Negative.
-
Try a 95 score
This needs to have spamassassin enabled
and sorting to spam folder Enabled if reject score not reached.
Also 5 might be reduced under 4 with orher positive filter and might show the mail.
The mime type filter might be more effective to block
-
SchulzStefan
"I read the wiki about creating own magics. I'm looking for a fast and easy way."
It does not take long to run the file.exe command against a few different iso & img files to find the magic, say 10 minutes.
Then add another 10 mins to add that magic to the database & it's done.
You have probably spent more time than that on other non successful methods.
Remember that pattern matching rejects the email message, whereas spamassassin accepts the email message & moves it to the junkmail folder, thus still consuming download bandwidth.
-
I, too, have long wished for an easier way to block emails by attachment type on SME servers - and I've never felt like I understand the mailpattern system.
I usually end up looking for another way to do the same thing:
* Are the sending IPs listed in a DNSBL service I can configure?
* Can the unwanted emails be blocked by the helo, rhsbl, or badmailfrom plugins?
* Will they be blocked if I turn on Bayesian filtering and autolearning?
* (as suggested) Can I create a custom spamassassin rule?
This code should find every email received in the last one day ("-ctime -1") with an iso or img attachment - you could then examine those emails for other blockable characteristics, or delete them using a scheduled script:
find /home/e-smith/files/users/ -type d -name Maildir |while read maildir
do
find "$maildir" -type f -name "*.$(config show ServerName)*" -ctime -1 -exec grep -l "Content-Disposition: attachment; filename=.*\.[iso|img]" "{}" \;
done
-
It does not take long to run the file.exe command against a few different iso & img files to find the magic, say 10 minutes.
Then add another 10 mins to add that magic to the database & it's done.
I don't understand - *every* attachment is different.
Remember that pattern matching rejects the email message, whereas spamassassin accepts the email message & moves it to the junkmail folder, thus still consuming download bandwidth.
That's correct.
-
I, too, have long wished for an easier way to block emails by attachment type on SME servers - and I've never felt like I understand the mailpattern system.
I usually end up looking for another way to do the same thing:
* Are the sending IPs listed in a DNSBL service I can configure?
* Can the unwanted emails be blocked by the helo, rhsbl, or badmailfrom plugins?
* Will they be blocked if I turn on Bayesian filtering and autolearning?
* (as suggested) Can I create a custom spamassassin rule?
This code should find every email received in the last one day ("-ctime -1") with an iso or img attachment - you could then examine those emails for other blockable characteristics, or delete them using a scheduled script:
find /home/e-smith/files/users/ -type d -name Maildir |while read maildir
do
find "$maildir" -type f -name "*.$(config show ServerName)*" -ctime -1 -exec grep -l "Content-Disposition: attachment; filename=.*\.[iso|img]" "{}" \;
done
Aha. Seems I'm not the only one thinking about an easy way to block any attachment you want.
I'll give the script a try.
-
SchulzStefan
Blocking by filename type (suffix) is flawed, as files can be an exe or zip or whatever else type content but be named *.txt, thus avoiding detection.
I don't understand - *every* attachment is different.
Well so you claim.
In plain english, in most cases though, files of a certain format, say zipv1, have a common set of characters at the very beginning of the file "code", this is known as the "magic" or "signature" or "pattern", & is usually 9 characters or more that are identical in "every" zipv1 file.
The same concept applies to zipv2 & exe & other file formats, they all have a unique & identical set of characters at the beginning of the file, which is identical for each specific file format type.
The neat aspect of file pattern matching is that the file can have a false name, say filename.txt, but if it is actually a zipv1 or exe format file, then the pattern matching will detect & reject it. A false name cannot trick or fool the pattern matching filter, as it examines the file content rather than the file name.
So as no specific pattern is listed in the SME server database for iso & img files, you will need to determine what the pattern or magic is, add it to the mailpatterns database & select that option in server manager.
The full instructions are in the Howto & while appearing to be complex, it is fairly straightforward if you follow the step by step instructions (ie the section about determining the magic & creating a database entry).
I do not personally know for sure if there are common patterns for all variants of iso & img files, that is why you would need to run the commands described in the Howto against a few different iso & img files.
-
SchulzStefan
From the Howto article are these extra patterns you can add. They may catch some of your unwanted img files as they detect content rather than filename.
Extra patterns
Extra patterns not included in the default database that may be enabled if required for blocking of multimedia files etc (long & short versions listed)
Important.png Note:
These have not been thoroughly tested and may need further refinement to ensure they accurately represent the signature pattern for all occurrences of the particular file type
SCR screen saver files - MS-DOS executable (EXE)
Example: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Pattern: TVqQAAMAAA
PIF1 - data
Example: AHhUYXggMTk5OCAgICAgICAgICAgICAgICAgICAgICCAAgAAWTpcSFNPRlRcSFQ5OFxIVDk4LkVY
Pattern: AHhUYXgg
PIF2 - data
Example: AMlIbDk5LmV4ZSAgICAgICAgICAgICAgICAgICAgICCAAIAAVDpccHJpdmF0ZVxIc29mdFxITFxI
Pattern: AMlIbDk5Lm
PIF3 - data
Example: AHhIYW5kaVJlZ2lzdGVyIDIwMDAgICAgICAgICAgICCAAgAAWTpcSHNvZnRcSFJcSFIwMC5FWEUA
Pattern: AHhIYW5k
WAV sound file - data
Example: UklGRiRwLgBXQVZFZm10IBAAAAABAAIAgLsAAADuAgAEABAAZGF0YQBwLgAAAAAAAAAAAAAAAAAA
Pattern: Uk1GRiRwL
JPEG image data, JFIF standard 0.00, aspect ratio, 0 x 0
Example: /9j/4AAQSkZJRgABAgEBLAEsAAD/7RLSUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABABLAAAAAEA
Pattern: /9j/4AAQSkZJRg
TIF - TIFF image data, little-endian
Example: SUkqAAgAAAAQAP4ABAABAAAAAAAAAAABAwABAAAAJgMAAAEBAwABAAAAQAUAAAIBAwADAAAAzgAA
Pattern: SUkqAAgAAAA
PPT powerpoint presentation -Microsoft Office Document
Example: 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAADEAwAAIRgBAAAAAAAA
Pattern: 0M8R4KGxGuEA
WMV Windows Media Player video file - Microsoft ASF
Example: MCaydY5mzxGm2QCqAGLObH8PAAAAAAAACwAAAAECodyrjEepzxGO5ADADCBTZWgAAAAAAAAAeeIB
Pattern: MCaydY5mzxGm
MPG mpeg1 video file - MPEG system stream data
Example: AAABuiEAAQAHgCgdAAABuwAMgCgdBeH/4OAuwMAgAAAB4AfcYC4xAAGMUREAAXAxAAABsxYBIIME
Pattern: AAABuiEAAQAHg
M2P mpeg2 video file - MPEG system stream data
Example: AAABukQABAAGBQFG//gAAAG7AAyAo38F4X/g4OfAwCAAAAHgB9qAwQ0xAAG2QxEAAZojHmDnAAAB
Pattern: AAABukQABAAGB
AVI video file - RIFF (little-endian) data
Example: UklGRpC0qQBBVkkgTElTVDYBAABoZHJsYXZpaDgAAABAnAAA5MJnAAAAAAAQAAEAWggAAAAAAAAC
Pattern: UklGRpC0qQBB
-
SchulzStefan
From the Howto.
Determining file pattern, signature or magic
To find out what the pattern or signature or magic for a file is, it needs to be run through a base64 encoding routine and the appropriate strings determined from the first line of the output. That is, for "sane" files which have "magic" numbers at the start. The file can also be decoded to find out what type of it is. Published file specifications (where available) could also be referred to.
Copy a file to a folder on SME Server, say filename.zip
At the command prompt do
perl -MMIME::Base64 -0777 -ne 'print encode_base64($_)' <filename.zip | head -1
This gives an output of
UEsDBAoAAQAAAMBOfzC356fxzVUAAMFVAAANAAAAZWxhaXZrZHVwLnNjckwHjDHTKYSGUE+SV
A suitable substring needs to be picked to use as the pattern for this file type, for example:
UEsDBAoAA
The pattern string needs to be long enough to avoid "false positives" and short enough to catch all of that file type. Running the above command across a few files of a particular type will usually clearly show the appropriate substring.
To find out the file type details
echo 'UEsDBAoAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/17.exe
then run "file" on the result
file /tmp/17.exe
the output is
/tmp/17.exe: Zip archive data, at least v1.0 to extract
which identifies the type of file
An alternative way of identifying the file pattern or signature for users of Clamavis-ng is to view the quarantined messages in /var/spool/amavis-ng/quarantine
Here is an extract from a quarantined infected message that mimics a zip file
File: 406a8bee~aad.msg Col 0 30787 bytes
----------mtohkeqkmfnipbfntepj
Content-Type: application/octet-stream; name="AttachedFile.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="AttachedFile.zip"
UEsDBAoAAQAAAMBOfzC356fxzVUAAMFVAAANAAAAZWxhaXZrZHVwLnNjckwHjDHTKYSGUE+SV1OwspplLsSWrbYvwOvHVHYOYDOiVliyLlDWU2LYVELdEiwxkwOPVsk3+m/Ddl9U56v6+tbrdXPEBTv+yEH56h/R+Bbk54hUOLieVPW61QOD7YVXZilxgCAZ+SppPxWuKv2iCBuw5qQ5N/r7CISrWWEPaAzGYwUmuERoNMEo4TFm6yV2BqBhv+Y1e/SLz30EV6anGmvwvKiWaLfcjo8sfF3UDQ203TAV33kypvZDqAsF/g3O1rvbEf+K/pZpWjOy1A5S3OWF7IKsbNxQdwqWPvuO6XS6QHwLQAF+6q4LKdUFM89j+lnKR3bXaGU3v18YN862XIeJtEqW3Ulbj8MA33IBDoTQzpYQwGQm+?????????..
So to create a new pattern for this message use
UEsDBAoAA
which is the pattern corresponding to ZIPV1 file type
UEsDBAoAA: Zip archive data, at least v1.0 to extract
-
Just some observations on some file types i tested
Some files show a pattern in the magic number, others not :?
File name magic found
boot.img 6zyQU1lTTElOVVgAAgEBAAIQAEAL8AkAEgACAAAAAAAAAAAAAAApducAQCAgICAgICAgICAgRkFU
FreePBX-32bit-10.13.66_usb.img 61iQU1lTTElOVVgAAgAAAAAAAAAAAAAAIABAAAAAAAAAgD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
DGN2000_V1.1.8.0.img EAACeQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
proxmox-ve_4.0-a7dc5694-9.iso RVIIAOsC//+QkJCQkJCQkJCQkJCQkJCQkJDrSSQSDwkAUr4bfDHAzRNGigyEyXUQvjl86HQB6T0B
proxmox-ve_4.4.iso RVIIAOsC//+QkJCQkJCQkJCQkJCQkJCQkJDrSSQSDwkAUr4bfDHAzRNGigyEyXUQvjl86HQB6T0B
ubuntu-18.04.1-desktop-amd64.iso RVIIAAAAkJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O
smeserver-9.2-x86_64.iso M+36jtW8AHz7/GYx22YxyWZTZlEGV47djsVSvgB8vwAGuQAB86XqKwYAAFK0QbuqVTHJMPb5zRNy
smeserver-10.0.alpha3-x86_64.iso M+2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O
super_grub2_disk_hybrid_2.00s2.iso 62OQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
kali-linux-1.0.6-amd64.iso M+2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O
-
warren
Good work
There was/is no guarantee that there is a common file magic.
"Just some observations on some file types i tested
Some files show a pattern in the magic number, others not :?"
In that situation multiple patterns would have to be used eg isov1, isov2, isov3 etc
These 2 are possibilities:
M+2QkJCQk
RVIIAOsC/
or
RVIIA
Unfortunately I have not been able to test any iso's recently as been rather busy this week.
The original reporter SchulzStefan, could always monitor the iso's etc that he receives & creates patterns from those.
While they may not work appropriately for everyone as common patterns, they would work on his own SME server system quite well, as he wants to block all iso's, so he could just keep adding patterns for every iso file he receives.
-
The original reporter SchulzStefan, could always monitor the iso's etc that he receives & creates patterns from those.
While they may not work appropriately for everyone as common patterns, they would work on his own SME server system quite well, as he wants to block all iso's, so he could just keep adding patterns for every iso file he receives.
That's exactly the point: I don't want to monitor emails with iso-attachments. I'd like to block any email - without any investigation - with an iso-attachment. Saying it's a company rule. Sending iso's as an email-attachment is IMVHO just nonsense. Therefore spending time for an investigation in this case is not helpful.
regards,
stefan
-
Has anyone tested/integrated this in the smeserver?
http://qmail-scanner.sourceforge.net/
https://www.tldp.org/HOWTO/Qmail-ClamAV-HOWTO/x179.html
If I understand correct, this should do it?
-
Your problem still remains unless you block every single attachment
cp some.iso some.jpg
Mail the jpg.....
I don't believe there is a 'one size fits all' simple solution.
-
Your problem still remains unless you block every single attachment
cp some.iso some.jpg
Mail the jpg.....
I don't believe there is a 'one size fits all' simple solution.
I don't get it.
Are you saying there's a solution for blocking every jpg-attachment?
Where is the problem, if I want to reject every email with an attachment which is an iso? I don't want to investigate the attachment (or the content of the email), I just want to reject the email in case, that there's an iso-attachment. I dont' want to know anything about the email nor the attachment. If the ending of the attachment is dot iso, I want this email to be rejected or quarantined. If the iso has been copied to a jpeg (or anything else) this would be another problem to me.
Question to the specialists: there's really no solution/addon for qmail (like black- or whitelist in the server-panel) to block/reject an email with an unwanted file-suffix? It's just stupid blocking, no investigation. Email with an unwanted attachment comes in, reject. End. Nothing else.
regards,
stefan
-
Please don't get so hot under the collar just because no has provided you with a 'simple' solution you want (because there isn't really a 'good' simple one)
You miss my point and did not really read what I wrote.
For sure block *.iso or *.whatever
BUT. Anyone who wants to bypass it can easily change the extension.
So you block .iso
I copy somefile.iso to somefile.jpg and mail it to my friend and tell him to save it as somefile.iso
Your super blocking code is instantly rendered completely useless because it blocks .iso but allows .jpg (or whatever... don't read this literally)
So simply blocking by extension is not a foolproof solution. Why antivirus doesn't rely on it.
Hence people are trying to see if there is another method.
But it seems there is no fool proof one currently - it is a really tricky area.
If you have a way to do it then let us know.
-
Question to the specialists:
If you write stuff like that you may find you don't get much help.
I help fix stuff here for fun. Not abuse. I'm not trying to make fun of you. Just looking at facts.
If you want it fixed then you can:
1. Get build access and do it yourself so everyone benefits
2. Hope people like me write a patch for you. If it is actually possible.
Please, save the sarcasm, and don't bite the hand that feeds you.
-
there's really no solution/addon for qmail (like black- or whitelist in the server-panel) to block/reject an email with an unwanted file-suffix? It's just stupid blocking, no investigation. Email with an unwanted attachment comes in, reject. End. Nothing else.
regards,
stefan
this is not qmail work, this is qpsmtpd that receive emails from outside.
Reetp did answer you why this is not the solution to simply check for file extension.
nowaday most attacks will be using pdf, docx, odt and other files you can not simply bloc the extension or you will just make your user move to another service to get the file they want .
-
SchulzStefan
It would be helpful to know what your real motivation is.
"Saying it's a company rule. Sending iso's as an email-attachment is IMVHO just nonsense."
Is it that you just think sending iso's is nonsense, or perhaps do you object to large attachments slowing down the mailserver.
Instead of blocking file suffix types, a workaround is that you could limit the size of emails, & anything that has a big iso or img attachment will be blocked (as well as all other attachments that are bigger than the set limit).
See the FAQ for size setting commands.
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Set_max_email_size
eg
config setprop qpsmtpd MaxScannerSize 10000000
signal-event email-update
would probably stop most iso's & img's but still allow large other types of attachments (depending on your personal interpretation of large), & depending on the setting of your other size limits.
Here is another possibility, I have not looked at it so cannot comment on effectiveness or usefulness.
https://wiki.contribs.org/Qpsmtpd:exe_filter
-
Please don't get so hot under the collar just because no has provided you with a 'simple' solution you want (because there isn't really a 'good' simple one)
You miss my point and did not really read what I wrote.
For sure block *.iso or *.whatever
BUT. Anyone who wants to bypass it can easily change the extension.
So you block .iso
I copy somefile.iso to somefile.jpg and mail it to my friend and tell him to save it as somefile.iso
Your super blocking code is instantly rendered completely useless because it blocks .iso but allows .jpg (or whatever... don't read this literally)
So simply blocking by extension is not a foolproof solution. Why antivirus doesn't rely on it.
Hence people are trying to see if there is another method.
But it seems there is no fool proof one currently - it is a really tricky area.
If you have a way to do it then let us know.
ReetP
I didn't want to offend you or anybody else here in this forum. Sorry, if you got me wrong. I do know about the difficulties you wrote about.
regards,
stefan
-
SchulzStefan
It would be helpful to know what your real motivation is.
"Saying it's a company rule. Sending iso's as an email-attachment is IMVHO just nonsense."
Is it that you just think sending iso's is nonsense, or perhaps do you object to large attachments slowing down the mailserver.
Instead of blocking file suffix types, a workaround is that you could limit the size of emails, & anything that has a big iso or img attachment will be blocked (as well as all other attachments that are bigger than the set limit).
See the FAQ for size setting commands.
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Set_max_email_size
eg
config setprop qpsmtpd MaxScannerSize 10000000
signal-event email-update
would probably stop most iso's & img's but still allow large other types of attachments (depending on your personal interpretation of large), & depending on the setting of your other size limits.
Here is another possibility, I have not looked at it so cannot comment on effectiveness or usefulness.
https://wiki.contribs.org/Qpsmtpd:exe_filter
Janet
what do you mean with real motivation? I want to block any email with an iso file attached. No investigation, if the file suffix is dot iso, rejection. I simply don't want my users receiving emails with iso files attached.
I already limited the size of emails.
https://wiki.contribs.org/Qpsmtpd:exe_filter - I'll have a look into this. Until today I didn't know the existance of this... Thank you for the hint.
regards,
stefan
-
SchulzStefan
stefan wrote:
what do you mean with real motivation?
I simply don't want my users receiving emails with iso files attached.
Why ?
What is your reason, is it a technical reason, & if so, what ?
I already limited the size of emails.
To what size & which setting or settings ?
Has that helped stop iso & img attachments ?
-
Hi michael mccarn
It seems you may have added this:
https://wiki.contribs.org/Qpsmtpd:exe_filter
Do you have any more details about usage & implementation ?
It seems similar to executable content blocking, but part of the text refers to blocking all attachments of a certain type eg zip (implies by name).
I understand this is "dumb" blocking, but it could still be useful as part of a layered protection approach.
I, too, have long wished for an easier way to block emails by attachment type on SME servers
-
Do you have any more details about usage & implementation ?
Sadly, no. (I created the various qpsmtpd pages using 'perldoc' so I could find things in them using google)
exe_filter looked to me like another flavor of the virus filter -- it seemed to be using pattern matching rather than simple name matching.
-
Here are some details on how to block by filetype using spamassassin.
1. Review your current spamassassin settings in case you want to revert them.
Make sure that status=enabled and RejectLevel" is a positive non-zero number that is smaller than the custom score we will assign later.
# config show spamassassin
spamassassin=service
BayesAutoLearnThresholdNonspam=0.10
BayesAutoLearnThresholdSpam=12.00
DNSAvailable=yes
MessageRetentionTime=90
OkLanguages=all
OkLocales=all
RejectLevel=50
ReportSafe=0
Sensitivity=custom
SkipRBLChecks=0
SortSpam=enabled
Subject=[SPAM]
SubjectTag=disabled
TagLevel=5
UseBayes=1
status=enabled
To set the values shown above:
config setprop spamassassin RejectLevel 50
config setprop spamassassin status enabled
2. Create a custom template fragment for spamassassin
This example will block ".rtf", ".iso" and ".img".
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
echo '# 80custom_rules
mimeheader MIME_FAIL Content-Type =~ /\.(rtf|iso|img)\b/i
describe MIME_FAIL Blacklisted file extension detected
score MIME_FAIL 95' > 80custom_rules
3. Activate
signal-event email-update
4. Monitor
Note the score is around the value we specified in our custom rule - 95 in this example (it will be slightly higher or lower depending on the results of the other tests that spamassassin has applied):
# tail -f /var/log/qpsmtpd/current |tai64nlocal |grep logterse
2019-05-29 09:12:30.238271500 23921 (deny) logging::logterse: ` 209.85.167.179 mail-oi1-f179.google.com mail-oi1-f179.google.com <mmccarn@myotherdomain.org> <mmccarn@mmsmeserver.tld> spamassassin 901 spam score exceeded threshold Yes, score=95.9 required=5.0 autolearn=disable
If something is misconfigured, all email will be blocked
To revert these changes:
1. Restore spamassassin to its original configuration (you made notes in step 1, right?)
2. Delete the custom template fragment and reconfigure email
'rm' /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/80custom_rules
signal-event email-update
Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses". I disabled clamd using config setprop clamd status disabled. I don't know if this is related to these notes, or to another issue with my server.
-
Here are some details on how to block by filetype using spamassassin.
Note to the OP - as per previous comments again this this will ONLY block attachments NAMED with an extension eg rtf|iso|img
Anyone mildly enterprising can just rename the file and it will pass regardless.
Unless a file can be pattern matched I don't think there is a "fast and easy" nor foolproof way of doing this (I don't disagree that it would be nice to be able to do it)
From earlier posts:
Sending iso's as an email-attachment is IMVHO just nonsense
It may well be. It doesn't making blocking them any easier....
Therefore spending time for an investigation in this case is not helpful
https://wiki.contribs.org/Qpsmtpd:exe_filter
Unfortunately this method appears to use the same method as the virus filter - it looks for a MIME signature as illustrated above. It still requires patterns. It may also seriously stress your server with a very large file.
"exe_filter slurps the entire email into memory and uses Email::MIME to do the mime parsing, so it's reasonably memory hungry"
So the point that janet made is you might have to roll up your sleeves and get your hands dirty and do some investigating and monitoring to start with and see if you can see any common file patterns, which is probably the most effective way of blocking attachments.
Some basic file patterns were suggested. You might need to test for more.
Whether or not there are some patterns that cover all eventualities, I don't know, but testing is the only way to find out and that would probably be your best route. From what I can see testing on a few ISOs (confirming what Warren said above) there doesn’t seem to be much in common so I don't think this is going to work. YMMV.
The simplest thing is, as suggested, just block attachments over a certain size (and again, use something like DL for anything larger). It is what we do here where he have a lot of large artwork files coming and going.
https://wiki.contribs.org/DownloadTicketService
The only issue is the Thunderbird plugin doesn't yet work with the latest Thunderbird 0.60.x, but hopefully will before long.
Personally I wish we could block all attachments, but hey ho. Such is life.
-
SchulzStefan
Why ?
What is your reason, is it a technical reason, & if so, what ?
To what size & which setting or settings ?
Has that helped stop iso & img attachments ?
Janet,
the reason are the users. They click on every attachment. Download is starting, click again, there you go, it's an dot.exe, inside virus, malware, whatever. The attachment of the email is a file ending as an iso. It's of course *not* an iso, it's whatever. I don't want to know... I just want to block those emails.
No, emails are flowing in in different sizes, small, few hundred kB... Unfortunately no help.
regards,
stefan
-
Here are some details on how to block by filetype using spamassassin.
1. Review your current spamassassin settings in case you want to revert them.
Make sure that status=enabled and RejectLevel" is a positive non-zero number that is smaller than the custom score we will assign later.
# config show spamassassin
spamassassin=service
BayesAutoLearnThresholdNonspam=0.10
BayesAutoLearnThresholdSpam=12.00
DNSAvailable=yes
MessageRetentionTime=90
OkLanguages=all
OkLocales=all
RejectLevel=50
ReportSafe=0
Sensitivity=custom
SkipRBLChecks=0
SortSpam=enabled
Subject=[SPAM]
SubjectTag=disabled
TagLevel=5
UseBayes=1
status=enabled
To set the values shown above:
config setprop spamassassin RejectLevel 50
config setprop spamassassin status enabled
2. Create a custom template fragment for spamassassin
This example will block ".rtf", ".iso" and ".img".
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
echo '# 80custom_rules
mimeheader MIME_FAIL Content-Type =~ /\.(rtf|iso|img)\b/i
describe MIME_FAIL Blacklisted file extension detected
score MIME_FAIL 95' > 80custom_rules
3. Activate
signal-event email-update
4. Monitor
Note the score is around the value we specified in our custom rule - 95 in this example (it will be slightly higher or lower depending on the results of the other tests that spamassassin has applied):
# tail -f /var/log/qpsmtpd/current |tai64nlocal |grep logterse
2019-05-29 09:12:30.238271500 23921 (deny) logging::logterse: ` 209.85.167.179 mail-oi1-f179.google.com mail-oi1-f179.google.com <mmccarn@myotherdomain.org> <mmccarn@mmsmeserver.tld> spamassassin 901 spam score exceeded threshold Yes, score=95.9 required=5.0 autolearn=disable
If something is misconfigured, all email will be blocked
To revert these changes:
1. Restore spamassassin to its original configuration (you made notes in step 1, right?)
2. Delete the custom template fragment and reconfigure email
'rm' /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/80custom_rules
signal-event email-update
Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses". I disabled clamd using config setprop clamd status disabled. I don't know if this is related to these notes, or to another issue with my server.
mmcarn,
here's what I did:
1.)
# config show spamassassin
spamassassin=service
BayesAutoLearnThresholdNonspam=0.10
BayesAutoLearnThresholdSpam=6.00
DNSAvailable=yes
MaxMessageSize=2000000
MessageRetentionTime=90
OkLanguages=all
OkLocales=all
RejectLevel=9
ReportSafe=0
Sensitivity=custom
SkipRBLChecks=0
SortSpam=enabled
Subject=[SPAM]
SubjectTag=enabled
TagLevel=4
UseBayes=1
status=enabled
2.)
less /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
3.)
mimeheader MIME_FAIL Content-Type =~ \.(iso|img|ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|reg)\b/i
describe MIME_FAIL Blacklisted file extension detected
score MIME_FAIL 95
I renamed a pdf to an iso file and sent this to my server. The email was rejected. Seems to work. Emails with other attachments are coming in, I got no complaints so far.
I'll report if I stumble over not seen issues so far.
Thanks to everybody sharing this thread.
regards,
stefan
-
Don't forget the huge gaping flaw in your plan Stan.
I renamed a pdf to an iso file and sent this to my server. The email was rejected.
Convert to:
I renamed a ISO to a PDF file and sent this to my server, and it went through quite happily and my server and I never noticed a thing..... until I was relaxing having a nice beer one day knowing how safe I was when some bad person sent a sneaky EXE that some user got tricked into saving and opening and it's wiped out all the desktops.....
If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.
Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.
(Just trying to save you from yourself here)
-
Don't forget the huge gaping flaw in your plan Stan.
Convert to:
If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.
Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.
(Just trying to save you from yourself here)
ReetP
Of course you're right. All viruses in attachments (or even stupid links in emails clicked by users) not known to clamav or to any virus-scanner working on the workstations, will cause damage.
And yes - I'm paranoid with my data.
regards,
stefan
-
SchulzStefan
And yes - I'm paranoid with my data.
So from your earlier responses your real target is viruses & executable content in email message attachments.
Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.
That blocks the majority of viruses sent by email in my experience.
Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.
-
And yes - I'm paranoid with my data.
In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.
(And I am really trying to help you here - I don't want to see you get hacked!)
-
SchulzStefan
So from your earlier responses your real target is viruses & executable content in email message attachments.
Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.
That blocks the majority of viruses sent by email in my experience.
Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.
Janet,
executable content is already enabled. We do use dropboxes for big data.
regards,
stefan
-
In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.
(And I am really trying to help you here - I don't want to see you get hacked!)
ReetP,
thank you for your hints and thoughts. I'm certainly not the only one thinking about a safer IT.
Therefore I use a hardware-firewall (opnsense) in front of the (server-only) smeserver. Don't get me wrong - I don't want to start a discussion about internal or external firewalls. The firewall is modded with all security addons (internal and external net) which are available as addons. Til today (doing IT since 1981) I never have been hacked (or should I better say, didn't realise, that I'm already hacked?). I try to take very carefully care of logs, internal and external traffic, sources, domains, IP's, etc.
I'm doing twice a day backups - one USB and one AFFA-server is running all time with the smeserver. I know what it means to a company, if your IT does not work.
Nevertheless I don't want to spend time for the above mentioned attachments. If any sender of an email with an attachment defined to block, it's one email less to care about. Because it's blocked.
I do know about viruses in PDF, ZIP, RAR, EXE, DOCX, and so on. There's still enough to take care about. And IMVHO (sorry for my paranoia), I think all this is getting worser in future. I know blocking attachments cannot be the all-incl-insurance. This was never my intention.
regards,
stefan
-
Here are some details on how to block by filetype using spamassassin.
Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses". I disabled clamd using config setprop clamd status disabled. I don't know if this is related to these notes, or to another issue with my server.
Mike, I am trying to clear up some issues for v11.
Any more experiences on this either on v10 or a v11?
https://bugs.koozali.org/show_bug.cgi?id=10779
Thanks.