Topic: How to block ZIP file attachment

[Gaetan]

Hi,
Thanks for your help.
I have checked the qpsmtpd/current log file and did not find anything relate with the scan fil attachment.

Via the following link, I have saved the test zip file that I am sending (basic test file zipped from OS X).

https://www.dropbox.com/s/el2vimiwwnc65wv/Test.txt.zip?dl=0


Regards
Gaëtan

[Stefano]

don't you really find anything like:

Code: [Select]

@4000000054819e3a20d2c36c 31236 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@4000000054819e3a21adcda4 31236 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1417780780:31236:0: OK

?

[Gaetan]

Sorry, I actually do:

@400000005481aac700e30b0c 27327 Accepted connection 2/40 from 176.222.239.98 / mxdk02.scanmailx.com
@400000005481aac700e4b4d4 27327 Connection from mxdk02.scanmailx.com [176.222.239.98]
@400000005481aac700fe9da4 27327 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@400000005481aac7011f3d34 27327 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@400000005481aac70191fc34 27327 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
@400000005481aac801d6b5f4 27327 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
@400000005481aac8023f91b4 27327 220 sme.domain.com ESMTP
@400000005481aac803b04854 27327 dispatching EHLO scanmailx.com
@400000005481aac803c3e3dc 27327 250-domain.com Hi mxdk02.scanmailx.com [176.222.239.98]
@400000005481aac803c44584 27327 250-PIPELINING
@400000005481aac803c49f5c 27327 250-8BITMIME
@400000005481aac803c504ec 27327 250-SIZE 12000000
@400000005481aac803c55ec4 27327 250 STARTTLS
@400000005481aac8053486f4 27327 dispatching STARTTLS
@400000005481aac80535fa0c 27327 220 Go ahead with TLS
@400000005481aac80a87f9ec 27327 tls plugin (unrecognized_command): TLS setup returning
@400000005481aac80bf5552c 27327 dispatching EHLO scanmailx.com
@400000005481aac80bfd928c 27327 250-domain.com Hi mxdk02.scanmailx.com [176.222.239.98]
@400000005481aac80bfdfc04 27327 250-PIPELINING
@400000005481aac80bfe55dc 27327 250-8BITMIME
@400000005481aac80bfeb784 27327 250-SIZE 12000000
@400000005481aac80bff115c 27327 250 AUTH PLAIN LOGIN
@400000005481aac80d7b39ac 27327 dispatching MAIL FROM: <xxxemail_address_fromxxx>
@400000005481aac80d7cdba4 27327 full from_parameter: FROM: <xxxemail_address_fromxxx>
@400000005481aac810aece2c 27327 getting mail from <xxxemail_address_fromxxx>
@400000005481aac810af7df4 27327 250 <xxxemail_address_fromxxx>, sender OK - how exciting to get mail from you!
@400000005481aac81309c974 27327 dispatching RCPT TO: <address_to@domain.com>
@400000005481aad01986996c 27327 check_goodrcptto plugin (rcpt): stripping '-' extensions
@400000005481aad019ee2154 27327 250 <address_to@domain.com>, recipient ok
@400000005481aad01b6275bc 27327 dispatching DATA
@400000005481aad01b66cb1c 27327 354 go ahead
@400000005481aad01ceb6f4c 27327 spooling message to disk
@400000005481aad0201802d4 27327 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
@400000005481aad020e34dcc 27327 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1417784006:27327:0: OK
@400000005481aad020f1384c 27327 logging::logterse plugin (queue): ` 176.222.239.98   mxdk02.scanmailx.com   scanmailx.com   <xxxemail_address_fromxxx>   <address_to@domain.com>   queued      <5481AAB8.20603@gmail.com>   No, hits=0.6 required=5.
@400000005481aad02c1fe7f4 27327 250 Queued! 1417784006 qp 27391 <5481AAB8.20603@gmail.com>
@400000005481aad02d90dd14 27327 dispatching QUIT
@400000005481aad02d933a8c 27327 221 domain.com closing connection. Have a wonderful day.
@400000005481aad02d94a5d4 27327 click, disconnecting

[janet]

Gaetan

Here is the header info from a message with your test.txt.zip file attached that was sent from & to my account on a SME server, note that SME did not block the message.

------=_NextPart_000_0007_01D010F4.AB35F890
Content-Type: application/octet-stream;
   name="Test.txt.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
   filename="Test.txt.zip"

UEsDBBQACAAIAP1UhUUAAAAAAAAAAAAAAAAIABAAVGVzdC50eHRVWAwAd32BVG59gVT1ARQAe797
f0hqcQkXAFBLBwiBv2bKCgAAAAgAAABQSwECFQMUAAgACAD9VIVFgb9mygoAAAAIAAAACAAMAAAA
AAAAAABApIEAAAAAVGVzdC50eHRVWAgAd32BVG59gVRQSwUGAAAAAAEAAQBCAAAAUAAAAAAA

Note the pertinent part of the file signature or magic is
UEsDBBQAC

The two zip signatures that SME will detect when selected are:
UEsDBAoAA
UEsDBBQAA

The file signature from your zip test file does not match either of the signatures in the mailpatterns database, so that is why the message is not being rejected, even though it has a zip file attachment.

It seems to me that the signature needs to be added to the mailpatterns database eg as another type of zip OSX variant file

You can follow the instructions in the Howto to achieve this
http://wiki.contribs.org/Virus:Email_Attachment_Blocking#Enabling_or_disabling_patterns


Comparing it to those other zip files I received earlier today, they are different again,

Header info from recently received messages with zip attachments:

Content-Disposition: attachment; filename="Internal_Only_pdf.zip"
UEsDBBQDA

Content-Disposition: attachment; filename="STD_261.zip"
UEsDBBQDA


So perhaps that signature also needs to be added to the mailpatterns database as a zip variant 3 type

This will add these signatures to the mailpatterns database

Code: [Select]

/sbin/e-smith/db mailpatterns set ZIPVOSX pattern Body UEsDBBQAC Description "Zip archive data, created on OSX" Glob yes LineStart yes Status enabled
/sbin/e-smith/db mailpatterns set ZIPV3 pattern Body UEsDBBQDA Description "Zip archive data, variant 3" Glob yes LineStart yes Status enabled
signal-event email-update


[Gaetan]

Very interesting indeed.
It looks like to me that there could be a multitude of signatures for compressed zip files and that what I expect from the SME mail attachment filtering is not really possible because many many different signatures would have to be registered.

Maybe should the SME server simply filter by file extensions ?


Rgds

[janet]

Gaetan

Please see my amended previous post with suitable commands to add these signatures to the mailpatterns database.

It looks like to me that there could be a multitude of signatures for compressed zip files

Yes indeed, but the trick is to select a common signature or a few signatures that will cover the majority of zip file signatures.
It has been many years since the mailpatterns database idea was created by Gordon Rowell, so new zip file signatures have been created in that time, either by design eg the OSX variant, or by hackers etc who are trying to circumvent exe attachment filtering.

.... and that what I expect from the SME mail attachment filtering is not really possible because many many different signatures would have to be registered

Nothing stays the same, so if a couple of new signatures needed to be added after 7 years, then that is not too bad, & pretty easy to  accomodate, refer commands I gave ie

Code: [Select]

/sbin/e-smith/db mailpatterns set ZIPVOSX pattern Body UEsDBBQAC Description "Zip archive data, created on OSX" Glob yes LineStart yes Status enabled
/sbin/e-smith/db mailpatterns set ZIPV3 pattern Body UEsDBBQDA Description "Zip archive data, variant 3" Glob yes LineStart yes Status enabled
signal-event email-update

Maybe should the SME server simply filter by file extensions ?

That is not possible or practical. File names can easily be changed (spoofed) to circumvent name based filtering.
Mailpatterns is the correct way to do it & it has proved VERY effective over the years.

Please add the zip type(s) I advised & let us know your results.

These should really be added to the default mailpatterns database, ie as "newly discovered" zip signatures.

[janet]

Gaetan

I added the signatures to the mailpatterns db & now when I send your zip file to myself I get this error,
which is good because it indicates the zip file OSX variant is being rejected, as expected.

Subject 'Fw: test zip attach with test.txt',
Account: 'yyyyy',
Server: 'www.xxxxx.xxx.xx',
Protocol: SMTP,
Server Response: '552 We don't accept email with executable content [UEsDBBQAC].',
Port: 465,
Secure(SSL): Yes,
Server Error: 552, Error Number: 0x800CCC6D

[Gaetan]

Hi Janet,
Thank you very much for your help on this.
It does now indeed block the test zip file.

Very well done.
Thanks again.

[raem]

janet & Gaetan

These should really be added to the default mailpatterns database, ie as "newly discovered" zip signatures.

I added a NFR bug report
http://bugs.contribs.org/show_bug.cgi?id=8717

Probably should duplicate for SME 9 also.
Added http://bugs.contribs.org/show_bug.cgi?id=8718

[stephdl]

modifications pushed to cvs & built, please can you verify it ?

[raem]

stephdl

modifications pushed to cvs & built, please can you verify it ?

Tested & Verified both bugs

If users cannot wait for updated pkgs to move to updates repo, do
yum update --enablerepo=smetest e-smith-email
db mailpatterns setprop ZIPV3 Status enabled
db mailpatterns setprop ZIPVOSX Status enabled
signal-event email-update

Thanks Steph for the fast work, it should have a significant impact on the virus laden zip files being sent via email

[stephdl]

I have just pushed the work done here, development is a two-way road....I'm quite sure that a lot of people here are enough skilled to play with bug.

We have had some resignations and a decease this year...you are welcome to dance on bugs with us.

[Gaetan]

Hi,
I have another question regarding attachment filtering.
Our SME server keeps rejecting some MS Excel files - with the xlsx format.
Here is the error message:
"We don't accept email with executable content [UEsDBAoAA]"

Why that ?

[Stefano]

because xlsx and docx documents are zip files

google will tell you more

[Gaetan]

Ok, I see. Thanks