Koozali.org: home of the SME Server

How to block ZIP file attachment

Offline Gaetan

  • ***
  • 104
  • +0/-0
How to block ZIP file attachment
« on: November 28, 2014, 03:10:22 PM »
I am getting tired of receiving zip file attachment with virus.
Is there a way to block those incoming emails.
In E-MAil / Change e-mail filtering settings / ... "Content to block" => everything is selected
"Virus scanning" = 1
"Spam filtering" = Enabled


And I am still able to receive ZIP attachment.

What's wrong please ?

Thanks

Offline warren

  • *
  • 291
  • +0/-0
Re: How to block ZIP file attachment
« Reply #1 on: November 29, 2014, 09:54:39 AM »
Quote
"Virus scanning" = 1

Is this really what you see for the field  "Virus Scanning ?"

The values are either  : Enabled / Disabled

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #2 on: November 29, 2014, 04:30:33 PM »
Correct.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #3 on: November 29, 2014, 09:43:57 PM »
Gaetan

Please show the output of
db mailpatterns show
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #4 on: November 29, 2014, 11:52:21 PM »
AHhIYW5k=pattern
    Body=AHhIYW5k
    Description=PIF file (AHhIYW5k)
    Glob=yes
    LineStart=yes
    Status=enabled
AHhUYXgg=pattern
    Body=AHhUYXgg
    Description=PIF file (AHhUYXgg)
    Glob=yes
    LineStart=yes
    Status=enabled
AMkgICAg=pattern
    Body=AMkgICAg
    Description=PIF file (AMkgICAg)
    Glob=yes
    LineStart=yes
    Status=enabled
AMlIbDk5Lm=pattern
    Body=AMlIbDk5Lm
    Description=PIF file (AMlIbDk5Lm)
    Glob=yes
    LineStart=yes
    Status=enabled
GIF01=pattern
    Body=R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy
    Description=GIF file from old virus
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAAAAA=pattern
    Body=TVoFAQUAA
    Description=PC executables (TVoAAAAAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAAEAAA=pattern
    Body=TVoAAAEAAA
    Description=PC executables (TVoAAAEAAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAAQAA=pattern
    Body=TVoAAAQAA
    Description=PC executables (TVoAAAQAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAACoAG=pattern
    Body=TVoAACoAG
    Description=PC executables (TVoAACoAG)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAD8AA=pattern
    Body=TVoFAQUAA
    Description=PC executables (TVoAAD8AA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoFAQUAA=pattern
    Body=TVoFAQUAA
    Description=PC executables (TVoFAQUAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoIARMAA=pattern
    Body=TVoIARMAA
    Description=PC executables (TVoIARMAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVouARsAA=pattern
    Body=TVouARsAA
    Description=PC executables (TVouARsAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVp1AQEAAAAE=pattern
    Body=TVp1AQEAAAAE
    Description=PC executables (TVp1AQEAAAAE)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpAALQAc=pattern
    Body=TVpAALQAc
    Description=PC executables (TVpAALQAc)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpLRVJOR=pattern
    Body=TVpLRVJOR
    Description=PC executables (TVpLRVJOR)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpQAAIAA=pattern
    Body=TVpQAAIAA
    Description=PC executables (TVpQAAIAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpyAXkAX=pattern
    Body=TVpyAXkAX
    Description=PC executables (TVpyAXkAX)
    Glob=yes
    LineStart=yes
    Status=enabled
TVqQAAMAA=pattern
    Body=TVqQAAMAA
    Description=PC executables (TVqQAAMAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVqgAAEAAAAFAAAA=pattern
    Body=TVqgAAEAAAAFAAAA
    Description=PC executables (TVqgAAEAAAAFAAAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVrQAT8AA=pattern
    Body=TVrQAT8AA
    Description=PC executables (TVrQAT8AA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVrhARwAk=pattern
    Body=TVrhARwAk
    Description=PC executables (TVrhARwAk)
    Glob=yes
    LineStart=yes
    Status=enabled
TVrmAU4AA=pattern
    Body=TVrmAU4AA
    Description=PC executables (TVrmAU4AA)
    Glob=yes
    LineStart=yes
    Status=enabled
ZIPV1=pattern
    Body=UEsDBAoAA
    Description=Zip archive data, at least v1.0 to extract
    Glob=yes
    LineStart=yes
    Status=enabled
ZIPV2=pattern
    Body=UEsDBBQAA
    Description=Zip archive data, at least v2.0 to extract
    Glob=yes
    LineStart=yes
    Status=enabled

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #5 on: November 30, 2014, 01:52:34 AM »
Gaetan

Those db settings look OK.

What happens if you send a message with a zip file attachment to yourself, where you are a user on the sme server & are using the sme mail server to send & receive ?

On the sending client you should get a error message something like:

Subject 'msg with zip file attachment',
Account: 'yourusername',
Server: 'www.xxxxxxx.xxxx',
Protocol: SMTP,
Server Response: '552 We don't accept email with executable content [UEsDBBQAA].',
Port: 465,
Secure(SSL): Yes,
Server Error: 552,
Error Number: 0x800CCC6D

If the email message with zip file attachment is still delivered, then you could try the master reset command to make sure all db settings are activated

signal-event post-upgrade
signal-event reboot

If still not working correctly, please describe your sme server setup, & how it connects to the Internet,
ie server only mode or server & gateway mode, is there a bridged modem in front, or is the SME in server only mode using some other gateway etc etc.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #6 on: December 01, 2014, 04:53:19 PM »
Hi

> signal-event post-upgrade
> signal-event reboot

I did this a few days ago after the last SME update ... and the problem has been there for months - probably since day one I guess.
My SME server is set as a Gateway - eth0 on my lan - eth1 on a lease line modem with a public IP address.
The SME Server is also used as an internet gateway.

I don't know if this could be related - but we use a third party antivirus / spam filter (scanmailX).

https://scanmailx.com/index.php?option=com_content&view=article&id=60&Itemid=45&lang=en

Our incoming messages are actually going through scanmailX before reach our SME server... But I don't think scanMailx is the issue.

Is there a way to check somewhere in the logs what's going on with the attachments ?

Thanks

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #7 on: December 01, 2014, 05:04:02 PM »
if you use scanmailx to scan INCOMING messages BEFORE they reach your SME  you should work on scanmailx..
accepting a undesidered email and sending it to SME and analyze it again is just a waste of time/space/band/cpu/ram

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #8 on: December 01, 2014, 05:11:36 PM »
Yes, this is correct.
I have contacted ScanMailX to get the filtering resolved at scanMailX level - but this is not explain why the SME doesn't do it.
Rgds

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #9 on: December 01, 2014, 05:16:24 PM »
read carefully this page:

http://wiki.contribs.org/Virus:Email_Attachment_Blocking

you should open infected zip files with a editor and see if the pattern exists already.. if not.. you have to create a new entry..
read that page..

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #10 on: December 02, 2014, 07:50:41 PM »
Gaetan

Quote
....but this is not explain why the SME doesn't do it.

Referring to
https://www.scanmailx.com/index.php?option=com_content&view=article&id=11&Itemid=16&lang=en#Q1
ScanMailX requires your MX records to be changed to point at their servers.

Many spam, virus & filtering techniques that SME server uses, require that SME server be the recipient mail server & talks directly to the originating (sending) mail server. As ScanMailX sits between the sending mail servers & your receiving mail server, then behaviour changes which affects the ability of SME server to perform as well as possible (in this regard).

The best virus & spam filtering etc occurs with SME server when set in Server & Gateway mode & SME server is directly connected to the Internet via a bridged modem or similar, with no external services interspersed.
Here is one brief reference to that issue
http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Server_Only

If you want to test whether your SME will perform better with regard to virus & spam & exe filtering, then disable the use of ScanMailX services (ie reset MX records to point directly at your SME server) & observe for a while.
« Last Edit: December 02, 2014, 07:56:58 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: How to block ZIP file attachment
« Reply #11 on: December 03, 2014, 04:42:32 PM »
The SME server in this situation should if asked filter the non-wanted attachments. The SME server in question is running in gateway mode which means all filtering functionality is active. The SME server cannot actually see that ScanMailX is not the originating mail server except that the IP address is intermediary.

Having said that, then ScanMailX (which I represent) will consider to add file attachment filtering - it just hasn't been a real request in the past. This case is no different if had caught the malicious ZIP file through AV scanning. We have seen heavy activity in the Cryptowall (ransomware) arena (250.000+ active BOTs) the last period of time and try to adjust filters to accommodate for the rapid changing distribution scheme.


Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #12 on: December 03, 2014, 05:55:05 PM »
thanks Knuddi for your clarification

Gaetan: could you post here some qpmstpd's logs (related to messages with unwanted attachment)? TIA

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #13 on: December 05, 2014, 12:21:22 AM »
Gaetan

The wiki says exe blocking should still work in Gateway or Server only mode.

Quoting
"This method works for servers configured as either Server & Gateway or Server Only as long as the mail server components are enabled (qpsmtp & qmail) and the server has access to the Internet via another SME Server or firewall.

I asked you before to do the following, what is the result ?
What happens if you send a message with a zip file attachment to yourself, where you are a user on the sme server & are using the sme mail server to send & receive ?

As Stefano says, you need to examine log files at the time a message is sent/received.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #14 on: December 05, 2014, 03:14:13 AM »
Gaetan

Further to the earlier test I asked you to do, you should check if the file attachment that is getting delivered is really a zip file.
Look at the header information in the email message.

I received a message this morning that is claiming to be a zip file but has a slightly different signature or magic, see extract below.
The two zip signatures that SME will detect when selected are:
UEsDBAoAA
UEsDBBQAA

SME server will not reject the message if the attachment signature does not exactly match one of the mailpatterns database entries.
You could add the errant pattern to the mailpatterns database after careful consideration.


Here is some Header info:

--------------090009000806020706080100
Content-Type: application/zip; name="Internal_Only_pdf.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Internal_Only_pdf.zip"

UEsDBBQDAAAIABuxhEXbldBKnyYAAABaAAAVAAAASW50ZXJuYWxfT25seV9wZGYuc2Ny7Fh7PFZn
HH/ccnndWk7MXZRS6YR0URzmkJCDUBGp8Dqp5LZulKTGk5KGEspqJbe1ViaVSAvtGLVp3VaSeMXU
ViuLnP0Ota1tn+3z2X/7fPZwnsvv/J7f5fv9Pc/7eV/3xelIBiEkCw/PI1SBhhuF/rltgUfVoFIV
nVJsNKqQcms0WiAOjzaMjFoTFhW8ynB58OrVa2IMl4UYRsWuNgxfbejo4W24as2KEHMVFSWT1zYY..........


PS. Here is the header info & signature from another email message with what purported to be a zip file, but had a different signature than those in the mailpatterns database (similar/same as above message).

Maybe there is a new wave of zip type file attachments that are being sent around the world, trying to get past "real" zip file blocking systems.


--------------060205090302070607030709
Content-Type: application/zip; name="STD_261.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="STD_261.zip"

UEsDBBQDAAAIABuxhEXbldBKnyYAAABaAAAPAAAAU1REXzI2MV9wZGYuc2Ny7Fh7PFZnHH/ccnnd
Wk7MXZRS6YR0URzmkJCDUBGp8Dqp5LZulKTGk5KGEspqJbe1ViaVSAvtGLVp3VaSeMXUViuLnP0O
ta1tn+3z2X/7fPZwnsvv/J7f5fv9Pc/7eV/3xelIBiEkCw/PI1SBhhuF/rltgUfVoFIVnVJsNKqQ
cms0WiAOjzaMjFoTFhW8ynB58OrVa2IMl4UYRsWuNgxfbejo4W24as2KEHMVFSWT1zYYGiE3KTlU
« Last Edit: December 05, 2014, 03:24:56 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.