Koozali.org: home of the SME Server

How to block ZIP file attachment

Offline Gaetan

  • ***
  • 104
  • +0/-0
How to block ZIP file attachment
« on: November 28, 2014, 03:10:22 PM »
I am getting tired of receiving zip file attachment with virus.
Is there a way to block those incoming emails.
In E-MAil / Change e-mail filtering settings / ... "Content to block" => everything is selected
"Virus scanning" = 1
"Spam filtering" = Enabled


And I am still able to receive ZIP attachment.

What's wrong please ?

Thanks

Offline warren

  • *
  • 291
  • +0/-0
Re: How to block ZIP file attachment
« Reply #1 on: November 29, 2014, 09:54:39 AM »
Quote
"Virus scanning" = 1

Is this really what you see for the field  "Virus Scanning ?"

The values are either  : Enabled / Disabled

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #2 on: November 29, 2014, 04:30:33 PM »
Correct.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #3 on: November 29, 2014, 09:43:57 PM »
Gaetan

Please show the output of
db mailpatterns show
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #4 on: November 29, 2014, 11:52:21 PM »
AHhIYW5k=pattern
    Body=AHhIYW5k
    Description=PIF file (AHhIYW5k)
    Glob=yes
    LineStart=yes
    Status=enabled
AHhUYXgg=pattern
    Body=AHhUYXgg
    Description=PIF file (AHhUYXgg)
    Glob=yes
    LineStart=yes
    Status=enabled
AMkgICAg=pattern
    Body=AMkgICAg
    Description=PIF file (AMkgICAg)
    Glob=yes
    LineStart=yes
    Status=enabled
AMlIbDk5Lm=pattern
    Body=AMlIbDk5Lm
    Description=PIF file (AMlIbDk5Lm)
    Glob=yes
    LineStart=yes
    Status=enabled
GIF01=pattern
    Body=R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy
    Description=GIF file from old virus
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAAAAA=pattern
    Body=TVoFAQUAA
    Description=PC executables (TVoAAAAAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAAEAAA=pattern
    Body=TVoAAAEAAA
    Description=PC executables (TVoAAAEAAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAAQAA=pattern
    Body=TVoAAAQAA
    Description=PC executables (TVoAAAQAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAACoAG=pattern
    Body=TVoAACoAG
    Description=PC executables (TVoAACoAG)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoAAD8AA=pattern
    Body=TVoFAQUAA
    Description=PC executables (TVoAAD8AA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoFAQUAA=pattern
    Body=TVoFAQUAA
    Description=PC executables (TVoFAQUAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVoIARMAA=pattern
    Body=TVoIARMAA
    Description=PC executables (TVoIARMAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVouARsAA=pattern
    Body=TVouARsAA
    Description=PC executables (TVouARsAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVp1AQEAAAAE=pattern
    Body=TVp1AQEAAAAE
    Description=PC executables (TVp1AQEAAAAE)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpAALQAc=pattern
    Body=TVpAALQAc
    Description=PC executables (TVpAALQAc)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpLRVJOR=pattern
    Body=TVpLRVJOR
    Description=PC executables (TVpLRVJOR)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpQAAIAA=pattern
    Body=TVpQAAIAA
    Description=PC executables (TVpQAAIAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVpyAXkAX=pattern
    Body=TVpyAXkAX
    Description=PC executables (TVpyAXkAX)
    Glob=yes
    LineStart=yes
    Status=enabled
TVqQAAMAA=pattern
    Body=TVqQAAMAA
    Description=PC executables (TVqQAAMAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVqgAAEAAAAFAAAA=pattern
    Body=TVqgAAEAAAAFAAAA
    Description=PC executables (TVqgAAEAAAAFAAAA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVrQAT8AA=pattern
    Body=TVrQAT8AA
    Description=PC executables (TVrQAT8AA)
    Glob=yes
    LineStart=yes
    Status=enabled
TVrhARwAk=pattern
    Body=TVrhARwAk
    Description=PC executables (TVrhARwAk)
    Glob=yes
    LineStart=yes
    Status=enabled
TVrmAU4AA=pattern
    Body=TVrmAU4AA
    Description=PC executables (TVrmAU4AA)
    Glob=yes
    LineStart=yes
    Status=enabled
ZIPV1=pattern
    Body=UEsDBAoAA
    Description=Zip archive data, at least v1.0 to extract
    Glob=yes
    LineStart=yes
    Status=enabled
ZIPV2=pattern
    Body=UEsDBBQAA
    Description=Zip archive data, at least v2.0 to extract
    Glob=yes
    LineStart=yes
    Status=enabled

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #5 on: November 30, 2014, 01:52:34 AM »
Gaetan

Those db settings look OK.

What happens if you send a message with a zip file attachment to yourself, where you are a user on the sme server & are using the sme mail server to send & receive ?

On the sending client you should get a error message something like:

Subject 'msg with zip file attachment',
Account: 'yourusername',
Server: 'www.xxxxxxx.xxxx',
Protocol: SMTP,
Server Response: '552 We don't accept email with executable content [UEsDBBQAA].',
Port: 465,
Secure(SSL): Yes,
Server Error: 552,
Error Number: 0x800CCC6D

If the email message with zip file attachment is still delivered, then you could try the master reset command to make sure all db settings are activated

signal-event post-upgrade
signal-event reboot

If still not working correctly, please describe your sme server setup, & how it connects to the Internet,
ie server only mode or server & gateway mode, is there a bridged modem in front, or is the SME in server only mode using some other gateway etc etc.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #6 on: December 01, 2014, 04:53:19 PM »
Hi

> signal-event post-upgrade
> signal-event reboot

I did this a few days ago after the last SME update ... and the problem has been there for months - probably since day one I guess.
My SME server is set as a Gateway - eth0 on my lan - eth1 on a lease line modem with a public IP address.
The SME Server is also used as an internet gateway.

I don't know if this could be related - but we use a third party antivirus / spam filter (scanmailX).

https://scanmailx.com/index.php?option=com_content&view=article&id=60&Itemid=45&lang=en

Our incoming messages are actually going through scanmailX before reach our SME server... But I don't think scanMailx is the issue.

Is there a way to check somewhere in the logs what's going on with the attachments ?

Thanks

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #7 on: December 01, 2014, 05:04:02 PM »
if you use scanmailx to scan INCOMING messages BEFORE they reach your SME  you should work on scanmailx..
accepting a undesidered email and sending it to SME and analyze it again is just a waste of time/space/band/cpu/ram

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #8 on: December 01, 2014, 05:11:36 PM »
Yes, this is correct.
I have contacted ScanMailX to get the filtering resolved at scanMailX level - but this is not explain why the SME doesn't do it.
Rgds

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #9 on: December 01, 2014, 05:16:24 PM »
read carefully this page:

http://wiki.contribs.org/Virus:Email_Attachment_Blocking

you should open infected zip files with a editor and see if the pattern exists already.. if not.. you have to create a new entry..
read that page..

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #10 on: December 02, 2014, 07:50:41 PM »
Gaetan

Quote
....but this is not explain why the SME doesn't do it.

Referring to
https://www.scanmailx.com/index.php?option=com_content&view=article&id=11&Itemid=16&lang=en#Q1
ScanMailX requires your MX records to be changed to point at their servers.

Many spam, virus & filtering techniques that SME server uses, require that SME server be the recipient mail server & talks directly to the originating (sending) mail server. As ScanMailX sits between the sending mail servers & your receiving mail server, then behaviour changes which affects the ability of SME server to perform as well as possible (in this regard).

The best virus & spam filtering etc occurs with SME server when set in Server & Gateway mode & SME server is directly connected to the Internet via a bridged modem or similar, with no external services interspersed.
Here is one brief reference to that issue
http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Server_Only

If you want to test whether your SME will perform better with regard to virus & spam & exe filtering, then disable the use of ScanMailX services (ie reset MX records to point directly at your SME server) & observe for a while.
« Last Edit: December 02, 2014, 07:56:58 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: How to block ZIP file attachment
« Reply #11 on: December 03, 2014, 04:42:32 PM »
The SME server in this situation should if asked filter the non-wanted attachments. The SME server in question is running in gateway mode which means all filtering functionality is active. The SME server cannot actually see that ScanMailX is not the originating mail server except that the IP address is intermediary.

Having said that, then ScanMailX (which I represent) will consider to add file attachment filtering - it just hasn't been a real request in the past. This case is no different if had caught the malicious ZIP file through AV scanning. We have seen heavy activity in the Cryptowall (ransomware) arena (250.000+ active BOTs) the last period of time and try to adjust filters to accommodate for the rapid changing distribution scheme.


Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #12 on: December 03, 2014, 05:55:05 PM »
thanks Knuddi for your clarification

Gaetan: could you post here some qpmstpd's logs (related to messages with unwanted attachment)? TIA

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #13 on: December 05, 2014, 12:21:22 AM »
Gaetan

The wiki says exe blocking should still work in Gateway or Server only mode.

Quoting
"This method works for servers configured as either Server & Gateway or Server Only as long as the mail server components are enabled (qpsmtp & qmail) and the server has access to the Internet via another SME Server or firewall.

I asked you before to do the following, what is the result ?
What happens if you send a message with a zip file attachment to yourself, where you are a user on the sme server & are using the sme mail server to send & receive ?

As Stefano says, you need to examine log files at the time a message is sent/received.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #14 on: December 05, 2014, 03:14:13 AM »
Gaetan

Further to the earlier test I asked you to do, you should check if the file attachment that is getting delivered is really a zip file.
Look at the header information in the email message.

I received a message this morning that is claiming to be a zip file but has a slightly different signature or magic, see extract below.
The two zip signatures that SME will detect when selected are:
UEsDBAoAA
UEsDBBQAA

SME server will not reject the message if the attachment signature does not exactly match one of the mailpatterns database entries.
You could add the errant pattern to the mailpatterns database after careful consideration.


Here is some Header info:

--------------090009000806020706080100
Content-Type: application/zip; name="Internal_Only_pdf.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Internal_Only_pdf.zip"

UEsDBBQDAAAIABuxhEXbldBKnyYAAABaAAAVAAAASW50ZXJuYWxfT25seV9wZGYuc2Ny7Fh7PFZn
HH/ccnndWk7MXZRS6YR0URzmkJCDUBGp8Dqp5LZulKTGk5KGEspqJbe1ViaVSAvtGLVp3VaSeMXU
ViuLnP0Ota1tn+3z2X/7fPZwnsvv/J7f5fv9Pc/7eV/3xelIBiEkCw/PI1SBhhuF/rltgUfVoFIV
nVJsNKqQcms0WiAOjzaMjFoTFhW8ynB58OrVa2IMl4UYRsWuNgxfbejo4W24as2KEHMVFSWT1zYY..........


PS. Here is the header info & signature from another email message with what purported to be a zip file, but had a different signature than those in the mailpatterns database (similar/same as above message).

Maybe there is a new wave of zip type file attachments that are being sent around the world, trying to get past "real" zip file blocking systems.


--------------060205090302070607030709
Content-Type: application/zip; name="STD_261.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="STD_261.zip"

UEsDBBQDAAAIABuxhEXbldBKnyYAAABaAAAPAAAAU1REXzI2MV9wZGYuc2Ny7Fh7PFZnHH/ccnnd
Wk7MXZRS6YR0URzmkJCDUBGp8Dqp5LZulKTGk5KGEspqJbe1ViaVSAvtGLVp3VaSeMXUViuLnP0O
ta1tn+3z2X/7fPZwnsvv/J7f5fv9Pc/7eV/3xelIBiEkCw/PI1SBhhuF/rltgUfVoFIVnVJsNKqQ
cms0WiAOjzaMjFoTFhW8ynB58OrVa2IMl4UYRsWuNgxfbejo4W24as2KEHMVFSWT1zYYGiE3KTlU
« Last Edit: December 05, 2014, 03:24:56 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #15 on: December 05, 2014, 10:57:55 AM »
Hi,
Thanks for your help.
I have checked the qpsmtpd/current log file and did not find anything relate with the scan fil attachment.

Via the following link, I have saved the test zip file that I am sending (basic test file zipped from OS X).

https://www.dropbox.com/s/el2vimiwwnc65wv/Test.txt.zip?dl=0


Regards
Gaëtan

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #16 on: December 05, 2014, 01:16:17 PM »
don't you really find anything like:

Code: [Select]
@4000000054819e3a20d2c36c 31236 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@4000000054819e3a21adcda4 31236 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1417780780:31236:0: OK

?

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #17 on: December 05, 2014, 01:59:06 PM »
Sorry, I actually do:

@400000005481aac700e30b0c 27327 Accepted connection 2/40 from 176.222.239.98 / mxdk02.scanmailx.com
@400000005481aac700e4b4d4 27327 Connection from mxdk02.scanmailx.com [176.222.239.98]
@400000005481aac700fe9da4 27327 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@400000005481aac7011f3d34 27327 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@400000005481aac70191fc34 27327 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@400000005481aac801d6b5f4 27327 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
@400000005481aac8023f91b4 27327 220 sme.domain.com ESMTP
@400000005481aac803b04854 27327 dispatching EHLO scanmailx.com
@400000005481aac803c3e3dc 27327 250-domain.com Hi mxdk02.scanmailx.com [176.222.239.98]
@400000005481aac803c44584 27327 250-PIPELINING
@400000005481aac803c49f5c 27327 250-8BITMIME
@400000005481aac803c504ec 27327 250-SIZE 12000000
@400000005481aac803c55ec4 27327 250 STARTTLS
@400000005481aac8053486f4 27327 dispatching STARTTLS
@400000005481aac80535fa0c 27327 220 Go ahead with TLS
@400000005481aac80a87f9ec 27327 tls plugin (unrecognized_command): TLS setup returning
@400000005481aac80bf5552c 27327 dispatching EHLO scanmailx.com
@400000005481aac80bfd928c 27327 250-domain.com Hi mxdk02.scanmailx.com [176.222.239.98]
@400000005481aac80bfdfc04 27327 250-PIPELINING
@400000005481aac80bfe55dc 27327 250-8BITMIME
@400000005481aac80bfeb784 27327 250-SIZE 12000000
@400000005481aac80bff115c 27327 250 AUTH PLAIN LOGIN
@400000005481aac80d7b39ac 27327 dispatching MAIL FROM: <xxxemail_address_fromxxx>
@400000005481aac80d7cdba4 27327 full from_parameter: FROM: <xxxemail_address_fromxxx>
@400000005481aac810aece2c 27327 getting mail from <xxxemail_address_fromxxx>
@400000005481aac810af7df4 27327 250 <xxxemail_address_fromxxx>, sender OK - how exciting to get mail from you!
@400000005481aac81309c974 27327 dispatching RCPT TO: <address_to@domain.com>
@400000005481aad01986996c 27327 check_goodrcptto plugin (rcpt): stripping '-' extensions
@400000005481aad019ee2154 27327 250 <address_to@domain.com>, recipient ok
@400000005481aad01b6275bc 27327 dispatching DATA
@400000005481aad01b66cb1c 27327 354 go ahead
@400000005481aad01ceb6f4c 27327 spooling message to disk
@400000005481aad0201802d4 27327 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@400000005481aad020e34dcc 27327 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1417784006:27327:0: OK
@400000005481aad020f1384c 27327 logging::logterse plugin (queue): ` 176.222.239.98   mxdk02.scanmailx.com   scanmailx.com   <xxxemail_address_fromxxx>   <address_to@domain.com>   queued      <5481AAB8.20603@gmail.com>   No, hits=0.6 required=5.
@400000005481aad02c1fe7f4 27327 250 Queued! 1417784006 qp 27391 <5481AAB8.20603@gmail.com>
@400000005481aad02d90dd14 27327 dispatching QUIT
@400000005481aad02d933a8c 27327 221 domain.com closing connection. Have a wonderful day.
@400000005481aad02d94a5d4 27327 click, disconnecting

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #18 on: December 05, 2014, 03:58:23 PM »
Gaetan

Here is the header info from a message with your test.txt.zip file attached that was sent from & to my account on a SME server, note that SME did not block the message.

------=_NextPart_000_0007_01D010F4.AB35F890
Content-Type: application/octet-stream;
   name="Test.txt.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
   filename="Test.txt.zip"

UEsDBBQACAAIAP1UhUUAAAAAAAAAAAAAAAAIABAAVGVzdC50eHRVWAwAd32BVG59gVT1ARQAe797
f0hqcQkXAFBLBwiBv2bKCgAAAAgAAABQSwECFQMUAAgACAD9VIVFgb9mygoAAAAIAAAACAAMAAAA
AAAAAABApIEAAAAAVGVzdC50eHRVWAgAd32BVG59gVRQSwUGAAAAAAEAAQBCAAAAUAAAAAAA

Note the pertinent part of the file signature or magic is
UEsDBBQAC

The two zip signatures that SME will detect when selected are:
UEsDBAoAA
UEsDBBQAA

The file signature from your zip test file does not match either of the signatures in the mailpatterns database, so that is why the message is not being rejected, even though it has a zip file attachment.

It seems to me that the signature needs to be added to the mailpatterns database eg as another type of zip OSX variant file

You can follow the instructions in the Howto to achieve this
http://wiki.contribs.org/Virus:Email_Attachment_Blocking#Enabling_or_disabling_patterns


Comparing it to those other zip files I received earlier today, they are different again,

Header info from recently received messages with zip attachments:

Content-Disposition: attachment; filename="Internal_Only_pdf.zip"
UEsDBBQDA

Content-Disposition: attachment; filename="STD_261.zip"
UEsDBBQDA


So perhaps that signature also needs to be added to the mailpatterns database as a zip variant 3 type

This will add these signatures to the mailpatterns database
Code: [Select]
/sbin/e-smith/db mailpatterns set ZIPVOSX pattern Body UEsDBBQAC Description "Zip archive data, created on OSX" Glob yes LineStart yes Status enabled
/sbin/e-smith/db mailpatterns set ZIPV3 pattern Body UEsDBBQDA Description "Zip archive data, variant 3" Glob yes LineStart yes Status enabled
signal-event email-update
« Last Edit: December 05, 2014, 04:15:09 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #19 on: December 05, 2014, 04:04:05 PM »
Very interesting indeed.
It looks like to me that there could be a multitude of signatures for compressed zip files and that what I expect from the SME mail attachment filtering is not really possible because many many different signatures would have to be registered.

Maybe should the SME server simply filter by file extensions ?


Rgds

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #20 on: December 05, 2014, 04:27:19 PM »
Gaetan

Please see my amended previous post with suitable commands to add these signatures to the mailpatterns database.

Quote
It looks like to me that there could be a multitude of signatures for compressed zip files

Yes indeed, but the trick is to select a common signature or a few signatures that will cover the majority of zip file signatures.
It has been many years since the mailpatterns database idea was created by Gordon Rowell, so new zip file signatures have been created in that time, either by design eg the OSX variant, or by hackers etc who are trying to circumvent exe attachment filtering.

Quote
.... and that what I expect from the SME mail attachment filtering is not really possible because many many different signatures would have to be registered

Nothing stays the same, so if a couple of new signatures needed to be added after 7 years, then that is not too bad, & pretty easy to  accomodate, refer commands I gave ie
Code: [Select]
/sbin/e-smith/db mailpatterns set ZIPVOSX pattern Body UEsDBBQAC Description "Zip archive data, created on OSX" Glob yes LineStart yes Status enabled
/sbin/e-smith/db mailpatterns set ZIPV3 pattern Body UEsDBBQDA Description "Zip archive data, variant 3" Glob yes LineStart yes Status enabled
signal-event email-update


Quote
Maybe should the SME server simply filter by file extensions ?

That is not possible or practical. File names can easily be changed (spoofed) to circumvent name based filtering.
Mailpatterns is the correct way to do it & it has proved VERY effective over the years.

Please add the zip type(s) I advised & let us know your results.

These should really be added to the default mailpatterns database, ie as "newly discovered" zip signatures.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #21 on: December 05, 2014, 04:33:03 PM »
Gaetan

I added the signatures to the mailpatterns db & now when I send your zip file to myself I get this error,
which is good because it indicates the zip file OSX variant is being rejected, as expected.

Subject 'Fw: test zip attach with test.txt',
Account: 'yyyyy',
Server: 'www.xxxxx.xxx.xx',
Protocol: SMTP,
Server Response: '552 We don't accept email with executable content [UEsDBBQAC].',
Port: 465,
Secure(SSL): Yes,
Server Error: 552, Error Number: 0x800CCC6D
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #22 on: December 05, 2014, 05:05:33 PM »
Hi Janet,
Thank you very much for your help on this.
It does now indeed block the test zip file.

Very well done.
Thanks again.

Offline raem

  • *
  • 3,972
  • +4/-0
Re: How to block ZIP file attachment
« Reply #23 on: December 05, 2014, 05:10:42 PM »
janet & Gaetan

Quote
These should really be added to the default mailpatterns database, ie as "newly discovered" zip signatures.

I added a NFR bug report
http://bugs.contribs.org/show_bug.cgi?id=8717

Probably should duplicate for SME 9 also.
Added http://bugs.contribs.org/show_bug.cgi?id=8718
« Last Edit: December 05, 2014, 05:16:51 PM by raem »
...

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: How to block ZIP file attachment
« Reply #24 on: December 05, 2014, 06:50:05 PM »
modifications pushed to cvs & built, please can you verify it ?
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline raem

  • *
  • 3,972
  • +4/-0
Re: How to block ZIP file attachment
« Reply #25 on: December 05, 2014, 09:29:00 PM »
stephdl
Quote
modifications pushed to cvs & built, please can you verify it ?

Tested & Verified both bugs

If users cannot wait for updated pkgs to move to updates repo, do
yum update --enablerepo=smetest e-smith-email
db mailpatterns setprop ZIPV3 Status enabled
db mailpatterns setprop ZIPVOSX Status enabled
signal-event email-update

Thanks Steph for the fast work, it should have a significant impact on the virus laden zip files being sent via email
...

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: How to block ZIP file attachment
« Reply #26 on: December 05, 2014, 10:19:45 PM »
I have just pushed the work done here, development is a two-way road....I'm quite sure that a lot of people here are enough skilled to play with bug.

We have had some resignations and a decease this year...you are welcome to dance on bugs with us.
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #27 on: December 09, 2014, 12:21:10 PM »
Hi,
I have another question regarding attachment filtering.
Our SME server keeps rejecting some MS Excel files - with the xlsx format.
Here is the error message:
"We don't accept email with executable content [UEsDBAoAA]"

Why that ?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #28 on: December 09, 2014, 12:22:23 PM »
because xlsx and docx documents are zip files

google will tell you more

Offline Gaetan

  • ***
  • 104
  • +0/-0
Re: How to block ZIP file attachment
« Reply #29 on: December 09, 2014, 12:34:21 PM »
Ok, I see. Thanks

Offline PeteAUK

  • *
  • 23
  • +0/-0
Re: How to block ZIP file attachment
« Reply #30 on: December 09, 2014, 12:45:44 PM »
because xlsx and docx documents are zip files

google will tell you more

Coincidently I'm just looking into the same bits on my SME Server (v8).  What's the best way to configure setting up blocking ZIPs but allowing the M$ formats?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #31 on: December 09, 2014, 03:48:41 PM »
AFAICT there's no way..
and, moreover, I wolud say that there's no reason to send doc/xls files.
use pdf

if you need to work with doc/xls and you really want to block zip, you need to use a different kind of file sharing

Offline PeteAUK

  • *
  • 23
  • +0/-0
Re: How to block ZIP file attachment
« Reply #32 on: December 09, 2014, 05:28:38 PM »
AFAICT there's no way..
and, moreover, I wolud say that there's no reason to send doc/xls files.
use pdf

if you need to work with doc/xls and you really want to block zip, you need to use a different kind of file sharing

Thanks for the reply.

Guessing you're not talking from a business perspective when you say don't sent doc/xls files - the chance of getting people to purely work with pdf is a bit like trying to find the holy grail ;)

Offline brianr

  • *
  • 988
  • +2/-0
Re: How to block ZIP file attachment
« Reply #33 on: December 09, 2014, 05:35:35 PM »
AFAICT there's no way..
and, moreover, I wolud say that there's no reason to send doc/xls files.

In my experience doc and xls files can be sent and received, it's just the xlsx and docx versions that can't.

There's been a rash of zipped up attachments (as fake invoices or faxes?) , leading to exploits in the last year, and the mailpatterns have saved my bacon on a number of occasions as far as I can tell.
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #34 on: December 09, 2014, 05:37:43 PM »
ou contraire..

start blocking everything but pdf and give users rules and tools.. that's the way..

email was not intended as a file sharing tool.. and everything that goes out from my lan toward and external recipient should not be editable and/or a virus container.. a pdf is enough, digitally signed would be better.

Offline PeteAUK

  • *
  • 23
  • +0/-0
Re: How to block ZIP file attachment
« Reply #35 on: December 09, 2014, 05:49:30 PM »
ou contraire..

start blocking everything but pdf and give users rules and tools.. that's the way..

email was not intended as a file sharing tool.. and everything that goes out from my lan toward and external recipient should not be editable and/or a virus container.. a pdf is enough, digitally signed would be better.

Completely agree on one perspective, everything going out could comply with a very draconian ruleset - you might even be lucky and your director/CEO/MD will agree with it.  However you have no control over what people (more specifically customers) send your way and ultimately it's customers that pays your wages and they're the ones who don't understand that an XLSX file could be a virus.

E-mail might not have been intended for file sharing, but that's what it's become and is regularly used for - how many people e-mail a file that's on a network share to a colleague?  There are lots of examples of where technology is used for purposes other than what it was originally conceived for (Facebook, social media or platform for sharing cat pictures)...

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #36 on: December 09, 2014, 06:03:12 PM »
Quote
Completely agree on one perspective, everything going out could comply with a very draconian ruleset - you might even be lucky and your director/CEO/MD will agree with it.  However you have no control over what people (more specifically customers) send your way and ultimately it's customers that pays your wages and they're the ones who don't understand that an XLSX file could be a virus.

last week a customer of mine called me "Hi, we can't receive emails from XYZ.."
a fast check.. the sender was sending email with 50 mb of attachment..
my answer: "your server will NEVER receive such a mail and the sender has been informed, this is not a problem on our side".. that's all

users (of any kind) must be educated.. otherwise, you should think about being payed "on accident" basis.. and if the issue is not a technical one (hw failure and so on) but an human one (virus, deleted files ecc), your hourly fare should be doubled.. in this way, in my personal experience, you have ALL under your control.

people keep thinking about IT as a no one/ no rule land.. and that's not true

guest22

Re: How to block ZIP file attachment
« Reply #37 on: December 09, 2014, 06:15:36 PM »
This might be worth looking at http://wiki.contribs.org/DownloadTicketService

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #38 on: December 09, 2014, 11:43:34 PM »
Gaetan

Quote
"We don't accept email with executable content [UEsDBAoAA]"

Well that is a ZIPv1.0 format, & if you allow that you will receive lots & lots of virus infected messages, which are sent as ZIPv1.0 format.
Virus infected messages/attachments are so prevalent in ZIPv1.0 format.

My suggestion would be to use RAR format to compress files, ie WinRAR, as there appears to be a lot less nasty messages/attachments in RAR format.
If your users compress a ZIP file into a RAR format, then the ZIPv1.0 (or whatever) will still be detected by SME server, so you need to start with a non ZIP format source.

Alternatives are to put files on a web site for sharing, & just email the link, or create an external free email account/address, & get external senders to send email to that address when attachments are involved eg files in formats that SME will block. This email address should not be publicly advertised or you will just get lots of spam etc coming to it. You could also create a webshare or similar upload/download site for sharing these types of files, particularly good for really large files eg in the 50Mb to 200Mb range where some users have data files of that size.

Really security comes first, you cannot risk allowing your server & network to get infected, as the downtime cost is too great to tolerate for most businesses (both unproductive staff time costs as well as tech support costs), but you need to cater for ease of use by customers who will send large attachments & attachments in formats that SME server will block, alternatives for this already suggested. I have this issue in my business & a combination of the workarounds mentioned seems effective enough.

Unfortunately Stefanos attitude of just don't do it is not so practical. Businesses need to make it as easy as possible for clients to liaise with us, but my suggestions have been practical to most clients & they catch on quick when told what to do.
« Last Edit: December 09, 2014, 11:53:38 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: How to block ZIP file attachment
« Reply #39 on: February 10, 2015, 07:49:22 PM »
Having had a closer look at this for ScanMailX I think that SME signatures is not necessarily the way to go. Signatures are for some extensions deterministic but for zip for example it matches other extensions as well as will cause false positives.

I have made a module that looks at two additional items in the MIME header, the Content-Type and the associated name. Surely a smart person can attach a ZIP file with the extension ZAP in stead of ZIP but the normal user will not rename and hence potentially be affected by bad software. The Content-Type will for "real" ZIP attachments either be "application/zip" or "application/x-zip-compressed". This will now also be matched.





Offline devtay

  • *
  • 145
  • +0/-0
Re: How to block ZIP file attachment
« Reply #40 on: February 19, 2015, 09:26:50 PM »
In looking through this thread and the Wiki http://wiki.contribs.orgVirus:Email_Attachment_Blocking#Enabling_or_disabling_patterns, I was wondering what's the best practice for picking the magic? Is it more trial and error or do you just compare what you have stored in the database and then go a character or two longer?
You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #41 on: February 20, 2015, 07:58:45 AM »
devtay

It is outlined in the section before that.
http://wiki.contribs.org/Virus:Email_Attachment_Blocking#Determining_file_pattern.2C_signature_or_magic

Just adding a couple of more characters is somewhat random.

You are really looking for the minimum length of pattern that will consistently match against similar or same file types.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline devtay

  • *
  • 145
  • +0/-0
Re: How to block ZIP file attachment
« Reply #42 on: February 26, 2015, 06:43:47 PM »
Three more emails today with different magic made it through my content filter. Possibly a new variant. I'm posting to see if anyone else had this today too.

Filenames followed by magic
IMG_02_2015_3301796.JPEG.zip
UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4
UEsDBBUAA

IMG_02_2015_3537629.JPEG.zip
UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4
UEsDBBUAA

IMG_02_2015_8824553.JPEG.zip
UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4
UEsDBBUAA

I don't see a match in my db.

[root@xxxxx Zip File]# db mailpatterns show | grep Body
    Body=AHhIYW5k
    Body=AHhUYXgg
    Body=AMkgICAg
    Body=AMlIbDk5Lm
    Body=R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy
    Body=TVoFAQUAA
    Body=TVoAAAEAAA
    Body=TVoAAAQAA
    Body=TVoAACoAG
    Body=TVoFAQUAA
    Body=TVoFAQUAA
    Body=TVoIARMAA
    Body=TVouARsAA
    Body=TVp1AQEAAAAE
    Body=TVpAALQAc
    Body=TVpLRVJOR
    Body=TVpQAAIAA
    Body=TVpyAXkAX
    Body=TVqQAAMAA
    Body=TVqgAAEAAAAFAAAA
    Body=TVrQAT8AA
    Body=TVrhARwAk
    Body=TVrmAU4AA
    Body=UEsDBAoAA
    Body=UEsDBBQAA
    Body=UEsDBBQDA
    Body=UEsDBBQAC
[root@xxxxx Zip File]#

I know this zip file is a virus because the desktop antivirus caught it when the email got downloaded. Here's my notification:

2/26/2015 8:29:05 AM - Module POP3 filter - Threat Alert triggered on computer xxxxxxx:  from: 320642@msg.vodafone.com to: <xxx@xx.com> with subject vodafone MMS [DIGIT[7]} dated Thu, 26 Feb 2015 15:25:32 +0100  contains Win32/TrojanDownloader.Wauchos.AF trojan.

I have only gotten three so it could be a fluke or a new one.


You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #43 on: February 27, 2015, 03:18:20 AM »
devtay

Quote
UEsDBBUAA
2/26/2015 8:29:05 AM - Module POP3 filter - Threat Alert triggered on computer xxxxxxx:  from: 320642@msg.vodafone.com to: <xxx@xx.com> with subject vodafone MMS [DIGIT[7]} dated Thu, 26 Feb 2015 15:25:32 +0100  contains Win32/TrojanDownloader.Wauchos.AF trojan.

Well add it to your system, observe for a few days, & then request it be added to the mailpatterns by posting a NFR at bugzilla
Thanks

/sbin/e-smith/db mailpatterns set DATA pattern Body UEsDBBUAA Description "Other data" Glob yes LineStart yes Status enabled
signal-event email-update
« Last Edit: February 27, 2015, 10:56:03 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #44 on: February 27, 2015, 03:40:42 AM »
devtay

Can you also follow the instructiosn here
http://wiki.contribs.org/Virus:Email_Attachment_Blocking#Determining_file_pattern.2C_signature_or_magic
which refers to using the file command to determine what file type it is.

As you have three examples of actual files to use, run file against each of those.

ie this part:
To find out the file type details
echo 'UEsDBBUAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/17.exe
then run "file" on the result
file /tmp/17.exe
the output is
/tmp/17.exe: Zip archive data, at least v1.0 to extract
which identifies the type of file

Let us know.
Thanks
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #45 on: February 27, 2015, 03:55:46 AM »
devtay

Here is what I get:

echo 'UEsDBBUAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/23.exe
file /tmp/23.exe
/tmp/23.exe: data

echo 'UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/24.exe
file /tmp/24.exe
/tmp/24.exe: data
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #46 on: February 27, 2015, 10:54:48 AM »
devtay

Quote
IMG_02_2015_3301796.JPEG.zip
IMG_02_2015_3537629.JPEG.zip
IMG_02_2015_8824553.JPEG.zip
I know this zip file is a virus because the desktop antivirus caught it when the email got downloaded. Here's my notification:
dated Thu, 26 Feb 2015 15:25:32 +0100  contains Win32/TrojanDownloader.Wauchos.AF trojan.

Based on my tests it is not a zip file. It might be named zip but it is a data file, with a Trojan embedded in it, & it is purporting to be a jpeg compressed as a zip file.

So if you create a mailpattern for that signature, then you need to be careful you are not blocking other data files that you do want to pass through your mail system.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline willdoicu

  • 4
  • +0/-0
Re: How to block ZIP file attachment
« Reply #47 on: July 07, 2016, 07:42:55 AM »
Hello,
Last days I have some problem with a pattern which looks like this
UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC

It's a .docm attachment, it does contain a malicious macro. The problem is the "+" in the middle of the pattern. If I try to block the hole pattern the server(SME 9.1) it won't. As a result only the characters before the "+" will work, and .xlsx files would be blocked too.
Any ideea?