Topic: block iso email attachment

[SchulzStefan]

SchulzStefan

Why ?
What is your reason, is it a technical  reason, & if so, what ?


To what size & which setting or settings ?
Has that helped stop iso & img attachments ?

Janet,

the reason are the users. They click on every attachment. Download is starting, click again, there you go, it's an dot.exe, inside virus, malware, whatever. The attachment of the email is a file ending as an iso. It's of course *not* an iso, it's whatever. I don't want to know... I just want to block those emails.

No, emails are flowing in in different sizes, small, few hundred kB... Unfortunately no help.

regards,
stefan

[SchulzStefan]

Here are some details on how to block by filetype using spamassassin.

1. Review your current spamassassin settings in case you want to revert them.
Make sure that status=enabled and RejectLevel" is a positive non-zero number that is smaller than the custom score we will assign later.
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=12.00
    DNSAvailable=yes
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=50
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=disabled
    TagLevel=5
    UseBayes=1
    status=enabled


To set the values shown above:

Code: [Select]

config setprop spamassassin RejectLevel 50
config setprop spamassassin status enabled

2. Create a custom template fragment for spamassassin
This example will block ".rtf", ".iso" and ".img". 

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/
echo '# 80custom_rules
mimeheader MIME_FAIL   Content-Type =~ /\.(rtf|iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95' > 80custom_rules

3. Activate

Code: [Select]

signal-event email-update

4. Monitor
Note the score is around the value we specified in our custom rule - 95 in this example (it will be slightly higher or lower depending on the results of the other tests that spamassassin has applied):

Code: [Select]

# tail -f /var/log/qpsmtpd/current |tai64nlocal |grep logterse
2019-05-29 09:12:30.238271500 23921 (deny) logging::logterse: ` 209.85.167.179 mail-oi1-f179.google.com mail-oi1-f179.google.com <mmccarn@myotherdomain.org> <mmccarn@mmsmeserver.tld> spamassassin 901 spam score exceeded threshold Yes, score=95.9 required=5.0 autolearn=disable


If something is misconfigured, all email will be blocked


To revert these changes:

1. Restore spamassassin to its original configuration (you made notes in step 1, right?)
2. Delete the custom template fragment and reconfigure email

Code: [Select]

'rm' /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/80custom_rules
signal-event email-update

Note: while working on this my server started blocking all incoming attachments with an error saying "Unable to scan for viruses".  I disabled clamd using config setprop clamd status disabled.  I don't know if this is related to these notes, or to another issue with my server.

mmcarn,

here's what I did:

1.)
# config show spamassassin
spamassassin=service
    BayesAutoLearnThresholdNonspam=0.10
    BayesAutoLearnThresholdSpam=6.00
    DNSAvailable=yes
    MaxMessageSize=2000000
    MessageRetentionTime=90
    OkLanguages=all
    OkLocales=all
    RejectLevel=9
    ReportSafe=0
    Sensitivity=custom
    SkipRBLChecks=0
    SortSpam=enabled
    Subject=[SPAM]
    SubjectTag=enabled
    TagLevel=4
    UseBayes=1
    status=enabled

2.)
less /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores

3.)
mimeheader MIME_FAIL   Content-Type =~ \.(iso|img|ade|adp|bat|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|lnk|mde|msc|msp|mst|pif|scr|sct|shb|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh|reg)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   95

I renamed a pdf to an iso file and sent this to my server. The email was rejected. Seems to work. Emails with other attachments are coming in, I got no complaints so far.

I'll report if I stumble over not seen issues so far.

Thanks to everybody sharing this thread.

regards,
stefan

[ReetP]

Don't forget the huge gaping flaw in your plan Stan.

I renamed a pdf to an iso file and sent this to my server. The email was rejected.

Convert to:

I renamed a ISO to a PDF file and sent this to my server, and it went through quite happily and my server and I never noticed a thing..... until I was relaxing having a nice beer one day knowing how safe I was when some bad person sent a sneaky EXE that some user got tricked into saving and opening and it's wiped out all the desktops.....

If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.

Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.

(Just trying to save you from yourself here)

[SchulzStefan]

Don't forget the huge gaping flaw in your plan Stan.

Convert to:

If you are paranoid I suggest you keep some serious monitoring in place, restrict file sizes to say 5mb max and make them use DL or some other service for anything larger (or use it for everything !!!!), and don't give up on your AntiVirus/Spyware subscriptions just yet.

Fire & forget quick hacks rarely work well. They just paper over cracks and catch you out in the end.

(Just trying to save you from yourself here)

ReetP

Of course you're right. All viruses in attachments (or even stupid links in emails clicked by users) not known to clamav or to any virus-scanner working on the workstations, will cause damage.

And yes - I'm paranoid with my data.

regards,
stefan

[janet]

SchulzStefan

And yes - I'm paranoid with my data.

So from your earlier responses your real target is viruses & executable content in email message attachments.

Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.

That blocks the majority of viruses sent by email in my experience.

Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.

[ReetP]

And yes - I'm paranoid with my data.

In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.

(And I am really trying to help you here - I don't want to see you get hacked!)

[SchulzStefan]

SchulzStefan

So from your earlier responses your real target is viruses & executable content in email message attachments.

Given your comment about being paranoid with your data, I would have assumed you would use the Email panel executable content blocking feature, with ALL listed atrachment content types selected inckuding zip1 & zip2.

That blocks the majority of viruses sent by email in my experience.

Yes you need to use Dropbox or maybe an external carefully monitored free unprotected email account to send large files, but that is a small price to pay given the damage & cost of a virus infection.

Janet,

executable content is already enabled. We do use dropboxes for big data.

regards,
stefan

[SchulzStefan]

In which case, as Janet and I have suggested, look for a better solution. This one is just a disaster waiting to happen.

(And I am really trying to help you here - I don't want to see you get hacked!)

ReetP,

thank you for your hints and thoughts. I'm certainly not the only one thinking about a safer IT.

Therefore I use a hardware-firewall (opnsense) in front of the (server-only) smeserver. Don't get me wrong - I don't want to start a discussion about internal or external firewalls. The firewall is modded with all security addons (internal and external net) which are available as addons. Til today (doing IT since 1981) I never have been hacked (or should I better say, didn't realise, that I'm already hacked?). I try to take very carefully care of logs, internal and external traffic, sources, domains, IP's, etc.

I'm doing twice a day backups - one USB and one AFFA-server is running all time with the smeserver. I know what it means to a company, if your IT does not work.

Nevertheless I don't want to spend time for the above mentioned attachments. If any sender of an email with an attachment defined to block, it's one email less to care about. Because it's blocked.

I do know about viruses in PDF, ZIP, RAR, EXE, DOCX, and so on. There's still enough to take care about. And IMVHO (sorry for my paranoia), I think all this is getting worser in future. I know blocking attachments cannot be the all-incl-insurance. This was never my intention.

regards,
stefan