Koozali.org: home of the SME Server

Block selected file types in compressed attachments possible?

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Block selected file types in compressed attachments possible?
« on: August 29, 2012, 08:42:46 AM »
I know that it is possible to configure SME to block certain file types, in email messages. For example, .exe files. Is it possible to block the same attachments, even if the user-disallowed file types are contained in compressed files? AFAIK, although .exe is blocked, exe files contained in zip attachments are not.

Any info/ideas on this?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Block selected file types in compressed attachments possible?
« Reply #1 on: August 29, 2012, 10:45:56 AM »
no, AFAIK.. and this is not a SME limitation

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Block selected file types in compressed attachments possible?
« Reply #2 on: August 29, 2012, 01:07:29 PM »
Yep, understood that this is no bug, just hoped that a db configuration might be possible to change behaviour to the desired one.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Block selected file types in compressed attachments possible?
« Reply #3 on: August 31, 2012, 10:40:25 AM »
Michail Pappas

If you refer to this
http://wiki.contribs.org/Virus:Email_Attachment_Blocking
and have a good careful read of it, you may be able to analyse a suitable signature for various file types within a zip file.
If possible or practical, then I would guess the signature would need to be quite long, much longer than the standard 9 or so characters, in order to cover a specific file type eg exe that is within a zip file.
Then add those signatures to the database, following the instructions in the wiki article.

Good luck and let us know if you are successful.

PS It's not hard to analyse the signatures, just follow the instructions. You just have to be careful to find a signature that is valid across all scenarios eg all exe files inside zip files and so on.

I should add, that the issue you describe is a good reason to block all zip file types in attachments, so that exe files are not accepted by the email system.

If you need to receive zip files of say large data files, use a seperate method to allow users to upload exe or zip files to your server, eg webshare and there are now others options available as contribs, or even an external POP mailbox that you ensure is virus scanned.

Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Block selected file types in compressed attachments possible?
« Reply #4 on: August 31, 2012, 01:21:38 PM »
If you refer to this
http://wiki.contribs.org/Virus:Email_Attachment_Blocking
and have a good careful read of it, you may be able to analyse a suitable signature for various file types within a zip file.
If possible or practical, then I would guess the signature would need to be quite long, much longer than the standard 9 or so characters, in order to cover a specific file type eg exe that is within a zip file.
Then add those signatures to the database, following the instructions in the wiki article.

Good luck and let us know if you are successful.

PS It's not hard to analyse the signatures, just follow the instructions. You just have to be careful to find a signature that is valid across all scenarios eg all exe files inside zip files and so on.
First, thank you for a very interesting article, I was pretty curious on these strange "abbreviations" (e.g. TvAAA). Unfortunately I have not been able to isolate patterns common to the exe files. In fact, even exe files matching the same pattern, had different starting sequences when their zipp'ed versions got encoded... In part, I think this is to be expected behaviour: one can use the header of an encoded file to differentiate it as a file type, however when zipped an exe file is not that different from a word, since the zip standard encodes internally filenames and content.

TBH, I do believe that this might be done, yet again one has delve into the zip encodiing...

The wiki article mentioned amavisd, which, AFAIK, is no longer used since it got replaced by spamd.

Quote
I should add, that the issue you describe is a good reason to block all zip file types in attachments, so that exe files are not accepted by the email system.
Indeed, for the last 6-7 years I had my custom freebsd/postfix/amavisd combination I did not have a single virus pass through email (at least AFAIK). In the 2 months of my SME mail server operation, a couple of viruses in zip files passed through. It was not a ClamAV deficiency per se, the 2nd one was a 0-day virus (took about 24 hours to be detected by major engines).

Quote
If you need to receive zip files of say large data files, use a seperate method to allow users to upload exe or zip files to your server, eg webshare and there are now others options available as contribs, or even an external POP mailbox that you ensure is virus scanned.
The former is what I used in my previous setup.