Loading ...
Sorry, an error occurred while loading the content.

Re: block exe and other attachments

Expand Messages
  • Rowland Onobrauche
    ... Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some
    Message 1 of 18 , Sep 17, 2013
    • 0 Attachment
      On 16 Sep 2013, at 15:39, Noel Jones wrote:

      > On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:
      >
      >>
      >> Postfix config
      >>
      >> postconf -n
      >> smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
      >
      >
      > I'm wondering the purpose of "whitelist_policy, permit". That's far
      > too late in processing for a whitelist.
      >
      >
      >>
      >> cat mime_header_checks
      >> /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
      >
      > Your expression is broken.
      >
      > There's an excellent example on the header_checks(5) man page. Note
      > this is PCRE and not regexp.
      > http://www.postfix.org/header_checks.5.html
      >
      > /etc/postfix/header_checks.pcre:
      > /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
      > ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
      > hlp|ht[at]|
      > inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
      >
      > \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
      > ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
      > vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
      > REJECT Attachment name "$2" may not end with ".$4"
      >
      >
      > If this expression doesn't catch something you think it should, show
      > the mime headers of the offending message.
      >
      >
      >
      > -- Noel Jones


      Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
      At least if they are quarantined, i have the option to release.


      thanks
    • Stan Hoeppner
      On 9/17/2013 5:08 AM, Rowland Onobrauche wrote: ... Have you ever been unable to see the forest because the trees are blocking your view of it? Those unwanted
      Message 2 of 18 , Sep 17, 2013
      • 0 Attachment
        On 9/17/2013 5:08 AM, Rowland Onobrauche wrote:
        ...
        > Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
        > At least if they are quarantined, i have the option to release.

        Have you ever been unable to see the forest because the trees are
        blocking your view of it?

        Those unwanted attachments are a symptom of your problem, not the
        problem itself. They are the trees blocking your view of the forest.

        The forest here is bot spam. Snowshoe spammers don't typically send
        malware attachments. You may also see this come from compromised hosts
        or webmail accounts.

        To stop the bot spam you need to use one of

        1. Postscreen - requires Postfix 2.8 or later
        2. A greylisting policy daemon such as postgrey for your Postfix 2.6.6.
        3. fqrdns.pcre

        Google will give you information on all of these. After reading up,
        pick your poison. Mailscanner may do the job, but the above will do so
        without wasting machine resources (queue bandwidth, CPU time, RAM, etc).
        And don't forget, Mailscanner is not supported by Postfix, as it breaks
        API rules and acts directly on the queue.

        --
        Stan
      Your message has been successfully submitted and would be delivered to recipients shortly.