Koozali.org: home of the SME Server

How to block ZIP file attachment

Offline PeteAUK

  • *
  • 23
  • +0/-0
Re: How to block ZIP file attachment
« Reply #30 on: December 09, 2014, 12:45:44 PM »
because xlsx and docx documents are zip files

google will tell you more

Coincidently I'm just looking into the same bits on my SME Server (v8).  What's the best way to configure setting up blocking ZIPs but allowing the M$ formats?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #31 on: December 09, 2014, 03:48:41 PM »
AFAICT there's no way..
and, moreover, I wolud say that there's no reason to send doc/xls files.
use pdf

if you need to work with doc/xls and you really want to block zip, you need to use a different kind of file sharing

Offline PeteAUK

  • *
  • 23
  • +0/-0
Re: How to block ZIP file attachment
« Reply #32 on: December 09, 2014, 05:28:38 PM »
AFAICT there's no way..
and, moreover, I wolud say that there's no reason to send doc/xls files.
use pdf

if you need to work with doc/xls and you really want to block zip, you need to use a different kind of file sharing

Thanks for the reply.

Guessing you're not talking from a business perspective when you say don't sent doc/xls files - the chance of getting people to purely work with pdf is a bit like trying to find the holy grail ;)

Offline brianr

  • *
  • 988
  • +2/-0
Re: How to block ZIP file attachment
« Reply #33 on: December 09, 2014, 05:35:35 PM »
AFAICT there's no way..
and, moreover, I wolud say that there's no reason to send doc/xls files.

In my experience doc and xls files can be sent and received, it's just the xlsx and docx versions that can't.

There's been a rash of zipped up attachments (as fake invoices or faxes?) , leading to exploits in the last year, and the mailpatterns have saved my bacon on a number of occasions as far as I can tell.
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #34 on: December 09, 2014, 05:37:43 PM »
ou contraire..

start blocking everything but pdf and give users rules and tools.. that's the way..

email was not intended as a file sharing tool.. and everything that goes out from my lan toward and external recipient should not be editable and/or a virus container.. a pdf is enough, digitally signed would be better.

Offline PeteAUK

  • *
  • 23
  • +0/-0
Re: How to block ZIP file attachment
« Reply #35 on: December 09, 2014, 05:49:30 PM »
ou contraire..

start blocking everything but pdf and give users rules and tools.. that's the way..

email was not intended as a file sharing tool.. and everything that goes out from my lan toward and external recipient should not be editable and/or a virus container.. a pdf is enough, digitally signed would be better.

Completely agree on one perspective, everything going out could comply with a very draconian ruleset - you might even be lucky and your director/CEO/MD will agree with it.  However you have no control over what people (more specifically customers) send your way and ultimately it's customers that pays your wages and they're the ones who don't understand that an XLSX file could be a virus.

E-mail might not have been intended for file sharing, but that's what it's become and is regularly used for - how many people e-mail a file that's on a network share to a colleague?  There are lots of examples of where technology is used for purposes other than what it was originally conceived for (Facebook, social media or platform for sharing cat pictures)...

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: How to block ZIP file attachment
« Reply #36 on: December 09, 2014, 06:03:12 PM »
Quote
Completely agree on one perspective, everything going out could comply with a very draconian ruleset - you might even be lucky and your director/CEO/MD will agree with it.  However you have no control over what people (more specifically customers) send your way and ultimately it's customers that pays your wages and they're the ones who don't understand that an XLSX file could be a virus.

last week a customer of mine called me "Hi, we can't receive emails from XYZ.."
a fast check.. the sender was sending email with 50 mb of attachment..
my answer: "your server will NEVER receive such a mail and the sender has been informed, this is not a problem on our side".. that's all

users (of any kind) must be educated.. otherwise, you should think about being payed "on accident" basis.. and if the issue is not a technical one (hw failure and so on) but an human one (virus, deleted files ecc), your hourly fare should be doubled.. in this way, in my personal experience, you have ALL under your control.

people keep thinking about IT as a no one/ no rule land.. and that's not true

guest22

Re: How to block ZIP file attachment
« Reply #37 on: December 09, 2014, 06:15:36 PM »
This might be worth looking at http://wiki.contribs.org/DownloadTicketService

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #38 on: December 09, 2014, 11:43:34 PM »
Gaetan

Quote
"We don't accept email with executable content [UEsDBAoAA]"

Well that is a ZIPv1.0 format, & if you allow that you will receive lots & lots of virus infected messages, which are sent as ZIPv1.0 format.
Virus infected messages/attachments are so prevalent in ZIPv1.0 format.

My suggestion would be to use RAR format to compress files, ie WinRAR, as there appears to be a lot less nasty messages/attachments in RAR format.
If your users compress a ZIP file into a RAR format, then the ZIPv1.0 (or whatever) will still be detected by SME server, so you need to start with a non ZIP format source.

Alternatives are to put files on a web site for sharing, & just email the link, or create an external free email account/address, & get external senders to send email to that address when attachments are involved eg files in formats that SME will block. This email address should not be publicly advertised or you will just get lots of spam etc coming to it. You could also create a webshare or similar upload/download site for sharing these types of files, particularly good for really large files eg in the 50Mb to 200Mb range where some users have data files of that size.

Really security comes first, you cannot risk allowing your server & network to get infected, as the downtime cost is too great to tolerate for most businesses (both unproductive staff time costs as well as tech support costs), but you need to cater for ease of use by customers who will send large attachments & attachments in formats that SME server will block, alternatives for this already suggested. I have this issue in my business & a combination of the workarounds mentioned seems effective enough.

Unfortunately Stefanos attitude of just don't do it is not so practical. Businesses need to make it as easy as possible for clients to liaise with us, but my suggestions have been practical to most clients & they catch on quick when told what to do.
« Last Edit: December 09, 2014, 11:53:38 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: How to block ZIP file attachment
« Reply #39 on: February 10, 2015, 07:49:22 PM »
Having had a closer look at this for ScanMailX I think that SME signatures is not necessarily the way to go. Signatures are for some extensions deterministic but for zip for example it matches other extensions as well as will cause false positives.

I have made a module that looks at two additional items in the MIME header, the Content-Type and the associated name. Surely a smart person can attach a ZIP file with the extension ZAP in stead of ZIP but the normal user will not rename and hence potentially be affected by bad software. The Content-Type will for "real" ZIP attachments either be "application/zip" or "application/x-zip-compressed". This will now also be matched.





Offline devtay

  • *
  • 145
  • +0/-0
Re: How to block ZIP file attachment
« Reply #40 on: February 19, 2015, 09:26:50 PM »
In looking through this thread and the Wiki http://wiki.contribs.orgVirus:Email_Attachment_Blocking#Enabling_or_disabling_patterns, I was wondering what's the best practice for picking the magic? Is it more trial and error or do you just compare what you have stored in the database and then go a character or two longer?
You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #41 on: February 20, 2015, 07:58:45 AM »
devtay

It is outlined in the section before that.
http://wiki.contribs.org/Virus:Email_Attachment_Blocking#Determining_file_pattern.2C_signature_or_magic

Just adding a couple of more characters is somewhat random.

You are really looking for the minimum length of pattern that will consistently match against similar or same file types.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline devtay

  • *
  • 145
  • +0/-0
Re: How to block ZIP file attachment
« Reply #42 on: February 26, 2015, 06:43:47 PM »
Three more emails today with different magic made it through my content filter. Possibly a new variant. I'm posting to see if anyone else had this today too.

Filenames followed by magic
IMG_02_2015_3301796.JPEG.zip
UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4
UEsDBBUAA

IMG_02_2015_3537629.JPEG.zip
UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4
UEsDBBUAA

IMG_02_2015_8824553.JPEG.zip
UEsDBBUAAAAJAIpjWUZv8l5lF74AAACKAQAcAAAASU1HXzAyXzIwMTVfNzg4ODkyMi5KUEVHLmV4
UEsDBBUAA

I don't see a match in my db.

[root@xxxxx Zip File]# db mailpatterns show | grep Body
    Body=AHhIYW5k
    Body=AHhUYXgg
    Body=AMkgICAg
    Body=AMlIbDk5Lm
    Body=R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy
    Body=TVoFAQUAA
    Body=TVoAAAEAAA
    Body=TVoAAAQAA
    Body=TVoAACoAG
    Body=TVoFAQUAA
    Body=TVoFAQUAA
    Body=TVoIARMAA
    Body=TVouARsAA
    Body=TVp1AQEAAAAE
    Body=TVpAALQAc
    Body=TVpLRVJOR
    Body=TVpQAAIAA
    Body=TVpyAXkAX
    Body=TVqQAAMAA
    Body=TVqgAAEAAAAFAAAA
    Body=TVrQAT8AA
    Body=TVrhARwAk
    Body=TVrmAU4AA
    Body=UEsDBAoAA
    Body=UEsDBBQAA
    Body=UEsDBBQDA
    Body=UEsDBBQAC
[root@xxxxx Zip File]#

I know this zip file is a virus because the desktop antivirus caught it when the email got downloaded. Here's my notification:

2/26/2015 8:29:05 AM - Module POP3 filter - Threat Alert triggered on computer xxxxxxx:  from: 320642@msg.vodafone.com to: <xxx@xx.com> with subject vodafone MMS [DIGIT[7]} dated Thu, 26 Feb 2015 15:25:32 +0100  contains Win32/TrojanDownloader.Wauchos.AF trojan.

I have only gotten three so it could be a fluke or a new one.


You can't stop what's coming. It ain't all waiting on you.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #43 on: February 27, 2015, 03:18:20 AM »
devtay

Quote
UEsDBBUAA
2/26/2015 8:29:05 AM - Module POP3 filter - Threat Alert triggered on computer xxxxxxx:  from: 320642@msg.vodafone.com to: <xxx@xx.com> with subject vodafone MMS [DIGIT[7]} dated Thu, 26 Feb 2015 15:25:32 +0100  contains Win32/TrojanDownloader.Wauchos.AF trojan.

Well add it to your system, observe for a few days, & then request it be added to the mailpatterns by posting a NFR at bugzilla
Thanks

/sbin/e-smith/db mailpatterns set DATA pattern Body UEsDBBUAA Description "Other data" Glob yes LineStart yes Status enabled
signal-event email-update
« Last Edit: February 27, 2015, 10:56:03 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: How to block ZIP file attachment
« Reply #44 on: February 27, 2015, 03:40:42 AM »
devtay

Can you also follow the instructiosn here
http://wiki.contribs.org/Virus:Email_Attachment_Blocking#Determining_file_pattern.2C_signature_or_magic
which refers to using the file command to determine what file type it is.

As you have three examples of actual files to use, run file against each of those.

ie this part:
To find out the file type details
echo 'UEsDBBUAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/17.exe
then run "file" on the result
file /tmp/17.exe
the output is
/tmp/17.exe: Zip archive data, at least v1.0 to extract
which identifies the type of file

Let us know.
Thanks
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.