Loading ...
Sorry, an error occurred while loading the content.

Re: block exe and other attachments

Expand Messages
  • Wijatmoko U. Prayitno
    On Mon, 16 Sep 2013 19:05:44 +0700 ... Revision the above pattern.. /^s*Content­.(Disposition|Type).*names*=s* ?(.+.(scr|pif|bat|exe|dll|vbs)) ?s*$/ REJECT
    Message 1 of 18 , Sep 16, 2013
    View Source
    • 0 Attachment
      On Mon, 16 Sep 2013 19:05:44 +0700
      "Wijatmoko U. Prayitno" <koko@...> wrote:

      > /^s*Content­(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected
      >
      Revision the above pattern..

      /^s*Content­.(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected

      Here the log..

      Sep 16 19:59:10 mail postfix/cleanup[30773]: 52A22258253: reject: header Content-Type: application/x-msdos-program;? name="find.exe" from subdomain.domain.com [A.B.C.D]; from=<test@...> to=<test@...> proto=ESMTP helo=<subdomain.domain.com>: 5.7.1 Files attached to emails that contain or end in "exe" are prohibited on this server as they may contain viruses. The file named "find.exe" was rejected

      --
      WUP
    • Leonardo Rodrigues
      ... rules catches what they were written to catch which is not the same thing as you expect them to catch. If it s not catching what you want it to, that s
      Message 2 of 18 , Sep 16, 2013
      View Source
      • 0 Attachment
        Em 16/09/13 08:41, Rowland Onobrauche escreveu:
        >
        > cat mime_header_checks
        > /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
        >
        >

        rules catches what they were written to catch which is not the same
        thing as you expect them to catch. If it's not catching what you want it
        to, that's because the rule is not correct/incomplete.

        as already stated by others, there are rules much more complete
        that matches other kinds of file attachments and are much more effective
        than yours.

        i have strugled for quite a long time trying to reach the 'perfect'
        PCRE expression for that until i gave up and let amavis do that. It's
        simply easier and much more reliable/effective to do that on some piece
        of software that 'understands' the MIME complication instead of doing on
        postfix which doesnt.




        --


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        gertrudes@...
        My SPAMTRAP, do not email it
      • Viktor Dukhovni
        ... The above is broken, DO NOT use this. -- Viktor.
        Message 3 of 18 , Sep 16, 2013
        View Source
        • 0 Attachment
          On Mon, Sep 16, 2013 at 07:05:44PM +0700, Wijatmoko U. Prayitno wrote:

          > Try..
          >
          > /^s*Content?(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected

          The above is broken, DO NOT use this.

          --
          Viktor.
        • Noel Jones
          ... I m wondering the purpose of whitelist_policy, permit . That s far too late in processing for a whitelist. ... Your expression is broken. There s an
          Message 4 of 18 , Sep 16, 2013
          View Source
          • 0 Attachment
            On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:

            >
            > Postfix config
            >
            > postconf -n
            > smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit


            I'm wondering the purpose of "whitelist_policy, permit". That's far
            too late in processing for a whitelist.


            >
            > cat mime_header_checks
            > /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT

            Your expression is broken.

            There's an excellent example on the header_checks(5) man page. Note
            this is PCRE and not regexp.
            http://www.postfix.org/header_checks.5.html

            /etc/postfix/header_checks.pcre:
            /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
            ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
            hlp|ht[at]|
            inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|

            \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
            ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
            vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
            REJECT Attachment name "$2" may not end with ".$4"


            If this expression doesn't catch something you think it should, show
            the mime headers of the offending message.



            -- Noel Jones
          • Rowland Onobrauche
            ... Ok, cheers noel. I have not tried the PCRE yet. And regarding the whitelist_policy - disregard it...it does not do what it sounds like it should.
            Message 5 of 18 , Sep 16, 2013
            View Source
            • 0 Attachment
              On 16 Sep 2013, at 15:39, Noel Jones wrote:

              > On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:
              >
              >>
              >> Postfix config
              >>
              >> postconf -n
              >> smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
              >
              >
              > I'm wondering the purpose of "whitelist_policy, permit". That's far
              > too late in processing for a whitelist.
              >
              >
              >>
              >> cat mime_header_checks
              >> /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
              >
              > Your expression is broken.
              >
              > There's an excellent example on the header_checks(5) man page. Note
              > this is PCRE and not regexp.
              > http://www.postfix.org/header_checks.5.html
              >
              > /etc/postfix/header_checks.pcre:
              > /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
              > ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
              > hlp|ht[at]|
              > inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
              >
              > \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
              > ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
              > vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
              > REJECT Attachment name "$2" may not end with ".$4"
              >
              >
              > If this expression doesn't catch something you think it should, show
              > the mime headers of the offending message.
              >
              >
              >
              > -- Noel Jones
              Ok, cheers noel. I have not tried the PCRE yet. And regarding the whitelist_policy - disregard it...it does not do what it sounds like it should.
            • Rowland Onobrauche
              ... thanks. i will try this out...
              Message 6 of 18 , Sep 16, 2013
              View Source
              • 0 Attachment
                On 16 Sep 2013, at 14:03, Wijatmoko U. Prayitno wrote:

                > On Mon, 16 Sep 2013 19:05:44 +0700
                > "Wijatmoko U. Prayitno" <koko@...> wrote:
                >
                >> /^s*Content­(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected
                >>
                > Revision the above pattern..
                >
                > /^s*Content­.(Disposition|Type).*names*=s*"?(.+.(scr|pif|bat|exe|dll|vbs))"?s*$/ REJECT Files attached to emails that contain or end in "$3" are prohibited on this server as they may contain viruses. The file named "$2" was rejected
                >
                > Here the log..
                >
                > Sep 16 19:59:10 mail postfix/cleanup[30773]: 52A22258253: reject: header Content-Type: application/x-msdos-program;? name="find.exe" from subdomain.domain.com [A.B.C.D]; from=<test@...> to=<test@...> proto=ESMTP helo=<subdomain.domain.com>: 5.7.1 Files attached to emails that contain or end in "exe" are prohibited on this server as they may contain viruses. The file named "find.exe" was rejected
                >
                > --
                > WUP


                thanks. i will try this out...
              • Rowland Onobrauche
                ... Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some
                Message 7 of 18 , Sep 17, 2013
                View Source
                • 0 Attachment
                  On 16 Sep 2013, at 15:39, Noel Jones wrote:

                  > On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:
                  >
                  >>
                  >> Postfix config
                  >>
                  >> postconf -n
                  >> smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
                  >
                  >
                  > I'm wondering the purpose of "whitelist_policy, permit". That's far
                  > too late in processing for a whitelist.
                  >
                  >
                  >>
                  >> cat mime_header_checks
                  >> /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
                  >
                  > Your expression is broken.
                  >
                  > There's an excellent example on the header_checks(5) man page. Note
                  > this is PCRE and not regexp.
                  > http://www.postfix.org/header_checks.5.html
                  >
                  > /etc/postfix/header_checks.pcre:
                  > /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
                  > ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
                  > hlp|ht[at]|
                  > inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
                  >
                  > \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
                  > ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
                  > vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
                  > REJECT Attachment name "$2" may not end with ".$4"
                  >
                  >
                  > If this expression doesn't catch something you think it should, show
                  > the mime headers of the offending message.
                  >
                  >
                  >
                  > -- Noel Jones


                  Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
                  At least if they are quarantined, i have the option to release.


                  thanks
                • Stan Hoeppner
                  On 9/17/2013 5:08 AM, Rowland Onobrauche wrote: ... Have you ever been unable to see the forest because the trees are blocking your view of it? Those unwanted
                  Message 8 of 18 , Sep 17, 2013
                  View Source
                  • 0 Attachment
                    On 9/17/2013 5:08 AM, Rowland Onobrauche wrote:
                    ...
                    > Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
                    > At least if they are quarantined, i have the option to release.

                    Have you ever been unable to see the forest because the trees are
                    blocking your view of it?

                    Those unwanted attachments are a symptom of your problem, not the
                    problem itself. They are the trees blocking your view of the forest.

                    The forest here is bot spam. Snowshoe spammers don't typically send
                    malware attachments. You may also see this come from compromised hosts
                    or webmail accounts.

                    To stop the bot spam you need to use one of

                    1. Postscreen - requires Postfix 2.8 or later
                    2. A greylisting policy daemon such as postgrey for your Postfix 2.6.6.
                    3. fqrdns.pcre

                    Google will give you information on all of these. After reading up,
                    pick your poison. Mailscanner may do the job, but the above will do so
                    without wasting machine resources (queue bandwidth, CPU time, RAM, etc).
                    And don't forget, Mailscanner is not supported by Postfix, as it breaks
                    API rules and acts directly on the queue.

                    --
                    Stan
                  Your message has been successfully submitted and would be delivered to recipients shortly.