Re: block exe and other attachments
- On 16 Sep 2013, at 15:39, Noel Jones wrote:
> On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
>> Postfix config
>> postconf -n
>> smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client nomail.rhsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client zombie.dnsbl.sorbs.net, whitelist_policy, permit
> I'm wondering the purpose of "whitelist_policy, permit". That's far
> too late in processing for a whitelist.
>> cat mime_header_checks
>> /name=[^>]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
> Your expression is broken.
> There's an excellent example on the header_checks(5) man page. Note
> this is PCRE and not regexp.
> REJECT Attachment name "$2" may not end with ".$4"
> If this expression doesn't catch something you think it should, show
> the mime headers of the offending message.
> -- Noel Jones
At least if they are quarantined, i have the option to release.
On 9/17/2013 5:08 AM, Rowland Onobrauche wrote:
> Thanks to all that contributed to a possible resolution. I have decided to allow the attachments and leave them to mailscanner to filter/quarantine as some we are receiving are actually legit attachments.
> At least if they are quarantined, i have the option to release.
Have you ever been unable to see the forest because the trees are
blocking your view of it?
Those unwanted attachments are a symptom of your problem, not the
problem itself. They are the trees blocking your view of the forest.
The forest here is bot spam. Snowshoe spammers don't typically send
malware attachments. You may also see this come from compromised hosts
or webmail accounts.
To stop the bot spam you need to use one of
1. Postscreen - requires Postfix 2.8 or later
2. A greylisting policy daemon such as postgrey for your Postfix 2.6.6.
Google will give you information on all of these. After reading up,
pick your poison. Mailscanner may do the job, but the above will do so
without wasting machine resources (queue bandwidth, CPU time, RAM, etc).
And don't forget, Mailscanner is not supported by Postfix, as it breaks
API rules and acts directly on the queue.