Koozali.org: home of the SME Server

block iso email attachment

Offline SchulzStefan

  • *
  • 620
  • +0/-0
block iso email attachment
« on: May 20, 2019, 04:28:36 PM »
We see a lot of email attachments like *.img and *.iso from untrusted sources.

Is there an easy way to block those emails?

Thanks for any reply,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #1 on: May 20, 2019, 08:03:11 PM »
Googling around leads to this approach:

In /etc/mail/spamassasin/local.cf adding the lines:

mimeheader MIME_FAIL   Content-Type =~ /\.(iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   5

Would this do the trick?
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #2 on: May 20, 2019, 08:11:13 PM »
SchulzStefan

The server manager Email panel for Executable content blocking may help you.
If those formats are not blocked using any of the standard available file types (that are in the selection list), then you can create your own file "magic" for img & iso using the steps outlined in the latter section of this Howto:
https://wiki.contribs.org/Virus:Email_Attachment_Blocking
Let us know your results.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #3 on: May 20, 2019, 08:18:29 PM »
Janet,

I read the wiki about creating own magics. I'm looking for a fast and easy way. Seems much more easy to me to template the local.cf if this approach works. Therefore my question, will this work? Of course, I'll try it for my own. I implemented this already and restarted qmail and spamd. I'll report.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #4 on: May 20, 2019, 10:12:52 PM »
Googling around leads to this approach:

In /etc/mail/spamassasin/local.cf adding the lines:

mimeheader MIME_FAIL   Content-Type =~ /\.(iso|img)\b/i
describe   MIME_FAIL   Blacklisted file extension detected
score      MIME_FAIL   5

Would this do the trick?

Negative.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: block iso email attachment
« Reply #5 on: May 21, 2019, 12:05:17 AM »
Try a 95 score


This needs to have spamassassin enabled

and sorting to spam folder Enabled if reject score not reached.
Also 5 might be reduced under 4 with orher positive filter and might show the mail.

The mime type filter might be more effective to block

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #6 on: May 21, 2019, 08:21:36 AM »
SchulzStefan

"I read the wiki about creating own magics. I'm looking for a fast and easy way."

It does not take long to run the file.exe command against a few different iso & img files to find the magic, say 10 minutes.
Then add another 10 mins to add that magic to the database & it's done.

You have probably spent more time than that on other non successful methods.

Remember that pattern matching rejects the email message, whereas spamassassin accepts the email message & moves it to the junkmail folder, thus still consuming download bandwidth.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: block iso email attachment
« Reply #7 on: May 21, 2019, 02:18:51 PM »
I, too, have long wished for an easier way to block emails by attachment type on SME servers - and I've never felt like I understand the mailpattern system.

I usually end up looking for another way to do the same thing:
* Are the sending IPs listed in a DNSBL service I can configure?
* Can the unwanted emails be blocked by the helo, rhsbl, or badmailfrom plugins?
* Will they be blocked if I turn on Bayesian filtering and autolearning?
* (as suggested) Can I create a custom spamassassin rule?



This code should find every email received in the last one day ("-ctime -1") with an iso or img attachment - you could then examine those emails for other blockable characteristics, or delete them using a scheduled script:
Code: [Select]
find /home/e-smith/files/users/ -type d -name Maildir |while read maildir
do
  find "$maildir" -type f -name "*.$(config show ServerName)*" -ctime -1 -exec grep -l "Content-Disposition: attachment; filename=.*\.[iso|img]" "{}" \;
done

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #8 on: May 23, 2019, 09:28:02 PM »

It does not take long to run the file.exe command against a few different iso & img files to find the magic, say 10 minutes.
Then add another 10 mins to add that magic to the database & it's done.

I don't understand - *every* attachment is different.


Remember that pattern matching rejects the email message, whereas spamassassin accepts the email message & moves it to the junkmail folder, thus still consuming download bandwidth.

That's correct.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: block iso email attachment
« Reply #9 on: May 23, 2019, 09:30:26 PM »
I, too, have long wished for an easier way to block emails by attachment type on SME servers - and I've never felt like I understand the mailpattern system.

I usually end up looking for another way to do the same thing:
* Are the sending IPs listed in a DNSBL service I can configure?
* Can the unwanted emails be blocked by the helo, rhsbl, or badmailfrom plugins?
* Will they be blocked if I turn on Bayesian filtering and autolearning?
* (as suggested) Can I create a custom spamassassin rule?



This code should find every email received in the last one day ("-ctime -1") with an iso or img attachment - you could then examine those emails for other blockable characteristics, or delete them using a scheduled script:
Code: [Select]
find /home/e-smith/files/users/ -type d -name Maildir |while read maildir
do
  find "$maildir" -type f -name "*.$(config show ServerName)*" -ctime -1 -exec grep -l "Content-Disposition: attachment; filename=.*\.[iso|img]" "{}" \;
done

Aha. Seems I'm not the only one thinking about an easy way to block any attachment you want.

I'll give the script a try.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #10 on: May 24, 2019, 12:19:08 AM »
SchulzStefan

Blocking by filename type (suffix) is flawed, as files can be an exe or zip or whatever else type content but be named *.txt, thus avoiding detection.

Quote
I don't understand - *every* attachment is different.

Well so you claim.
In plain english, in most cases though, files of a certain format, say zipv1, have a common set of characters at the very beginning of the file "code", this is known as the "magic" or "signature" or "pattern", & is usually 9 characters or more that are identical in "every" zipv1 file.
The same concept applies to zipv2 & exe & other file formats, they all have a unique & identical set of characters at the beginning of the file, which is identical for each specific file format type.

The neat aspect of file pattern matching is that the file can have a false name, say filename.txt, but if it is actually a zipv1 or exe format file, then the pattern matching will detect & reject it. A false name cannot trick or fool the pattern matching filter, as it examines the file content rather than the file name.

So as no specific pattern is listed in the SME server database for iso & img files, you will need to determine what the pattern or magic is, add it to the mailpatterns database & select that option in server manager.

The full instructions are in the Howto & while appearing to be complex, it is fairly straightforward if you follow the step by step instructions (ie the section about determining the magic & creating a database entry).

I do not personally know for sure if there are common patterns for all variants of iso & img files, that is why you would need to run the commands described in the Howto against a few different iso & img files.
« Last Edit: May 25, 2019, 01:33:57 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #11 on: May 24, 2019, 12:29:30 AM »
SchulzStefan

From the Howto article are these extra patterns you can add. They may catch some of your unwanted img files as they detect content rather than filename.

Extra patterns
Extra patterns not included in the default database that may be enabled if required for blocking of multimedia files etc (long & short versions listed)

Important.png   Note:
These have not been thoroughly tested and may need further refinement to ensure they accurately represent the signature pattern for all occurrences of the particular file type

SCR screen saver files - MS-DOS executable (EXE)

Example: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Pattern: TVqQAAMAAA
PIF1 - data

Example: AHhUYXggMTk5OCAgICAgICAgICAgICAgICAgICAgICCAAgAAWTpcSFNPRlRcSFQ5OFxIVDk4LkVY
Pattern: AHhUYXgg
PIF2 - data

Example: AMlIbDk5LmV4ZSAgICAgICAgICAgICAgICAgICAgICCAAIAAVDpccHJpdmF0ZVxIc29mdFxITFxI
Pattern: AMlIbDk5Lm
PIF3 - data

Example: AHhIYW5kaVJlZ2lzdGVyIDIwMDAgICAgICAgICAgICCAAgAAWTpcSHNvZnRcSFJcSFIwMC5FWEUA
Pattern: AHhIYW5k
WAV sound file - data

Example: UklGRiRwLgBXQVZFZm10IBAAAAABAAIAgLsAAADuAgAEABAAZGF0YQBwLgAAAAAAAAAAAAAAAAAA
Pattern: Uk1GRiRwL
JPEG image data, JFIF standard 0.00, aspect ratio, 0 x 0

Example: /9j/4AAQSkZJRgABAgEBLAEsAAD/7RLSUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABABLAAAAAEA
Pattern: /9j/4AAQSkZJRg
TIF - TIFF image data, little-endian

Example: SUkqAAgAAAAQAP4ABAABAAAAAAAAAAABAwABAAAAJgMAAAEBAwABAAAAQAUAAAIBAwADAAAAzgAA
Pattern: SUkqAAgAAAA
PPT powerpoint presentation -Microsoft Office Document

Example: 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAADEAwAAIRgBAAAAAAAA
Pattern: 0M8R4KGxGuEA
WMV Windows Media Player video file - Microsoft ASF

Example: MCaydY5mzxGm2QCqAGLObH8PAAAAAAAACwAAAAECodyrjEepzxGO5ADADCBTZWgAAAAAAAAAeeIB
Pattern: MCaydY5mzxGm
MPG mpeg1 video file - MPEG system stream data

Example: AAABuiEAAQAHgCgdAAABuwAMgCgdBeH/4OAuwMAgAAAB4AfcYC4xAAGMUREAAXAxAAABsxYBIIME
Pattern: AAABuiEAAQAHg
M2P mpeg2 video file - MPEG system stream data

Example: AAABukQABAAGBQFG//gAAAG7AAyAo38F4X/g4OfAwCAAAAHgB9qAwQ0xAAG2QxEAAZojHmDnAAAB
Pattern: AAABukQABAAGB
AVI video file - RIFF (little-endian) data

Example: UklGRpC0qQBBVkkgTElTVDYBAABoZHJsYXZpaDgAAABAnAAA5MJnAAAAAAAQAAEAWggAAAAAAAAC
Pattern: UklGRpC0qQBB
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #12 on: May 24, 2019, 12:35:27 AM »
SchulzStefan

From the Howto.

Determining file pattern, signature or magic
To find out what the pattern or signature or magic for a file is, it needs to be run through a base64 encoding routine and the appropriate strings determined from the first line of the output. That is, for "sane" files which have "magic" numbers at the start. The file can also be decoded to find out what type of it is. Published file specifications (where available) could also be referred to.

Copy a file to a folder on SME Server, say filename.zip

At the command prompt do

perl -MMIME::Base64 -0777 -ne 'print encode_base64($_)' <filename.zip | head -1
This gives an output of

UEsDBAoAAQAAAMBOfzC356fxzVUAAMFVAAANAAAAZWxhaXZrZHVwLnNjckwHjDHTKYSGUE+SV
A suitable substring needs to be picked to use as the pattern for this file type, for example:

UEsDBAoAA
The pattern string needs to be long enough to avoid "false positives" and short enough to catch all of that file type. Running the above command across a few files of a particular type will usually clearly show the appropriate substring.

To find out the file type details

echo 'UEsDBAoAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/17.exe
then run "file" on the result

file /tmp/17.exe
the output is

/tmp/17.exe: Zip archive data, at least v1.0 to extract
which identifies the type of file

An alternative way of identifying the file pattern or signature for users of Clamavis-ng is to view the quarantined messages in /var/spool/amavis-ng/quarantine

Here is an extract from a quarantined infected message that mimics a zip file

File: 406a8bee~aad.msg Col 0 30787 bytes
----------mtohkeqkmfnipbfntepj
Content-Type: application/octet-stream; name="AttachedFile.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="AttachedFile.zip"
UEsDBAoAAQAAAMBOfzC356fxzVUAAMFVAAANAAAAZWxhaXZrZHVwLnNjckwHjDHTKYSGUE+SV1OwspplLsSWrbYvwOvHVHYOYDOiVliyLlDWU2LYVELdEiwxkwOPVsk3+m/Ddl9U56v6+tbrdXPEBTv+yEH56h/R+Bbk54hUOLieVPW61QOD7YVXZilxgCAZ+SppPxWuKv2iCBuw5qQ5N/r7CISrWWEPaAzGYwUmuERoNMEo4TFm6yV2BqBhv+Y1e/SLz30EV6anGmvwvKiWaLfcjo8sfF3UDQ203TAV33kypvZDqAsF/g3O1rvbEf+K/pZpWjOy1A5S3OWF7IKsbNxQdwqWPvuO6XS6QHwLQAF+6q4LKdUFM89j+lnKR3bXaGU3v18YN862XIeJtEqW3Ulbj8MA33IBDoTQzpYQwGQm+?????????..
So to create a new pattern for this message use

UEsDBAoAA
which is the pattern corresponding to ZIPV1 file type

UEsDBAoAA: Zip archive data, at least v1.0 to extract
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline warren

  • *
  • 291
  • +0/-0
Re: block iso email attachment
« Reply #13 on: May 24, 2019, 11:53:43 AM »
Just some observations on some file types i tested
Some files show a pattern in the magic number, others not  :?

Code: [Select]
File name magic found
boot.img 6zyQU1lTTElOVVgAAgEBAAIQAEAL8AkAEgACAAAAAAAAAAAAAAApducAQCAgICAgICAgICAgRkFU

FreePBX-32bit-10.13.66_usb.img 61iQU1lTTElOVVgAAgAAAAAAAAAAAAAAIABAAAAAAAAAgD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAA



DGN2000_V1.1.8.0.img EAACeQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA




proxmox-ve_4.0-a7dc5694-9.iso RVIIAOsC//+QkJCQkJCQkJCQkJCQkJCQkJDrSSQSDwkAUr4bfDHAzRNGigyEyXUQvjl86HQB6T0B

proxmox-ve_4.4.iso RVIIAOsC//+QkJCQkJCQkJCQkJCQkJCQkJDrSSQSDwkAUr4bfDHAzRNGigyEyXUQvjl86HQB6T0B

ubuntu-18.04.1-desktop-amd64.iso RVIIAAAAkJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O


smeserver-9.2-x86_64.iso M+36jtW8AHz7/GYx22YxyWZTZlEGV47djsVSvgB8vwAGuQAB86XqKwYAAFK0QbuqVTHJMPb5zRNy

smeserver-10.0.alpha3-x86_64.iso M+2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O


super_grub2_disk_hybrid_2.00s2.iso 62OQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

kali-linux-1.0.6-amd64.iso M+2QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJAz7fqO1bwAfPv8ZjHbZjHJZlNmUQZXjt2O



Offline janet

  • ****
  • 4,812
  • +0/-0
Re: block iso email attachment
« Reply #14 on: May 25, 2019, 01:44:48 AM »
warren

Good work
There was/is no guarantee that there is a common file magic.

"Just some observations on some file types i tested
Some files show a pattern in the magic number, others not  :?"


In that situation multiple patterns would have to be used eg isov1, isov2, isov3 etc
These 2 are possibilities:
M+2QkJCQk
RVIIAOsC/
or
RVIIA

Unfortunately I have not been able to test any iso's recently as been rather busy this week.


The original reporter SchulzStefan, could always monitor the iso's etc that he receives & creates patterns from those.
While they may not work appropriately for everyone as common patterns, they would work on his own SME server system quite well, as he wants to block all iso's, so he could just keep adding patterns for every iso file he receives.
« Last Edit: May 25, 2019, 02:07:05 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.