Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block attachments based on file extension #5076

Open
KiwiActinidia opened this issue Feb 18, 2023 · 17 comments
Open

Block attachments based on file extension #5076

KiwiActinidia opened this issue Feb 18, 2023 · 17 comments
Labels
enhancement

Comments

@KiwiActinidia
Copy link

Summary

I'm requesting to add to "Global filter maps" a new map to block some file extension. Actually I added do rspamd multimap.conf file this rule:

BAD_FILE_EXT {
type = "filename";
filter = "extension";
map = "${LOCAL_CONFDIR}/custom/bad_file_ext.map";
symbol = "FILENAME BLACKLISTED"
action = "reject";
}

Motivation

Sometimes, phishing attack it's based on opening the attached file to email. The file extension is .ISO, .IMG, .ARJ, .LZH, .R01, .R02, .001 but also .REG, .EXE, .JS and many others. If an email have a file with these extension, I want do reject it. No virus check but simply reject it.
Now for updating this file I must login to my server console.
The rule can also be used to block some file for policy reason.

Many thanks
Alessandro

Additional context

No response
@master2die
Copy link

master2die commented Feb 20, 2023
edited

I think the right approach would be a filter in Sieve. This filter could also be adjusted more precisely. Rspamd seems to me to be a possible approach here, which however strongly generalizes, so that I recommend you to have a closer look at the filters in Sieve.

edit: try this. I added some kind of reject message, so "honest" senders will know precisely why it was rejected.

require ["fileinto", "reject"];

if anyof (header :contains "Content-Type" "application/octet-stream",
          header :contains "Content-Type" "application/x-rar-compressed",
          header :contains "Content-Type" "application/x-zip-compressed",
          header :contains "Content-Type" "multipart/x-zip") {
  if anyof (header :contains "Content-Disposition" "attachment; filename=*.iso",
            header :contains "Content-Disposition" "attachment; filename=*.img",
            header :contains "Content-Disposition" "attachment; filename=*.arj",
            header :contains "Content-Disposition" "attachment; filename=*.lzh",
            header :contains "Content-Disposition" "attachment; filename=*.r01",
            header :contains "Content-Disposition" "attachment; filename=*.r02",
            header :contains "Content-Disposition" "attachment; filename=*.001",
            header :contains "Content-Disposition" "attachment; filename=*.reg",
            header :contains "Content-Disposition" "attachment; filename=*.exe",
            header :contains "Content-Disposition" "attachment; filename=*.js") {
    reject "bad file extension CUSTOMIZE THIS REJECTION MESSAGE";
  }
}

Let me know if this worked for you :)

@KiwiActinidia
Copy link
Author

I have about 200 hundreds email used only for working contacts.
I found more simple to use rspamd. Rspamd search also into zip.
If we receive .EXE no question "deny it". Also .ISO, .IMG and many other not frequent extension is used for malware. I scan only common extensions like xls, doc and pdf. Actually first problem is document with macro.
My suggested filter it's another choice: if empty do nothing. It's like ASN or bad words filter.
My list actually contains about 200 denied extensions.

Thanks
Alessandro

@philipp-s06
Copy link

I used the template prefilter for the list of blocked attatchments and customized it.

if anyof (body :raw :regex ["filename=.*\.doc","filename=.*\.docx","filename=.*\.docm","filename=.*\.xls","filename=.*\.xlsx","filename=.*\.xlsm","filename=.*\.mp3","filename=.*\.avi","filename=.*\.mov","filename=.*\.wav","filename=.*\.iso","filename=.*\.img","filename=.*\.gif","filename=.*\.png","filename=.*\.jpg","filename=.*\.jpeg","filename=.*\.scr","filename=.*\.vbs","filename=.*\.bat","filename=.*\.sh","filename=.*\.bash","filename=.*\.cmd","filename=.*\.apk","filename=.*\.com","filename=.*\.msi","filename=.*\.vbr","filename=.*\.ws","filename=.*\.wsf","filename=.*\.scf","filename=.*\.exe"]) {
  reject text:
my reject text :)
.
;
}

But with this filter it blocks EVERY mail with EVERY file extensions. What is wrong with this filter? Please help :(

@philipp-s06
Copy link

I think the right approach would be a filter in Sieve. This filter could also be adjusted more precisely. Rspamd seems to me to be a possible approach here, which however strongly generalizes, so that I recommend you to have a closer look at the filters in Sieve.

edit: try this. I added some kind of reject message, so "honest" senders will know precisely why it was rejected.

require ["fileinto", "reject"];

if anyof (header :contains "Content-Type" "application/octet-stream",
          header :contains "Content-Type" "application/x-rar-compressed",
          header :contains "Content-Type" "application/x-zip-compressed",
          header :contains "Content-Type" "multipart/x-zip") {
  if anyof (header :contains "Content-Disposition" "attachment; filename=*.iso",
            header :contains "Content-Disposition" "attachment; filename=*.img",
            header :contains "Content-Disposition" "attachment; filename=*.arj",
            header :contains "Content-Disposition" "attachment; filename=*.lzh",
            header :contains "Content-Disposition" "attachment; filename=*.r01",
            header :contains "Content-Disposition" "attachment; filename=*.r02",
            header :contains "Content-Disposition" "attachment; filename=*.001",
            header :contains "Content-Disposition" "attachment; filename=*.reg",
            header :contains "Content-Disposition" "attachment; filename=*.exe",
            header :contains "Content-Disposition" "attachment; filename=*.js") {
    reject "bad file extension CUSTOMIZE THIS REJECTION MESSAGE";
  }
}

Let me know if this worked for you :)

This filter doesn't work for me.

@81packet
Copy link

81packet commented Jun 5, 2023

I used the template prefilter for the list of blocked attatchments and customized it.

if anyof (body :raw :regex ["filename=.*\.doc","filename=.*\.docx","filename=.*\.docm","filename=.*\.xls","filename=.*\.xlsx","filename=.*\.xlsm","filename=.*\.mp3","filename=.*\.avi","filename=.*\.mov","filename=.*\.wav","filename=.*\.iso","filename=.*\.img","filename=.*\.gif","filename=.*\.png","filename=.*\.jpg","filename=.*\.jpeg","filename=.*\.scr","filename=.*\.vbs","filename=.*\.bat","filename=.*\.sh","filename=.*\.bash","filename=.*\.cmd","filename=.*\.apk","filename=.*\.com","filename=.*\.msi","filename=.*\.vbr","filename=.*\.ws","filename=.*\.wsf","filename=.*\.scf","filename=.*\.exe"]) {
  reject text:
my reject text :)
.
;
}

But with this filter it blocks EVERY mail with EVERY file extensions. What is wrong with this filter? Please help :(

Did you manage to solve the problem of blocking all attachments? Full reinstall didn't help. (I thought the problem was that I broke the configuration file somewhere)

@philipp-s06
Copy link

Did you manage to solve the problem of blocking all attachments?

Unfortunly not. I don't have more ideas. I Hope someone can help with that problem.

@81packet
Copy link

81packet commented Jun 9, 2023

Did you manage to solve the problem of blocking all attachments?

Unfortunly not. I don't have more ideas. I Hope someone can help with that problem.

As an option:

require ["reject","body","regex","notify"];
if anyof (body :raw :regex ["filename=.*\.pdf","filename=.*\.doc","filename=.*\.xls","filename=.*\.gif","filename=.*\.docx","filename=.*\.xlsx"]) {
keep;  # The filter skips the necessary extensions
if anyof (body :raw :regex ["filename=.*\.gz","filename=.*\.exe","filename=.*\.js","filename=.*\.zip","filename=.*\.rar","filename=.*\.7z"]) {
 redirect "blocked@domain.com";  # The filter sends to the desired mail

You just need to write it down correctly or bring it to mind. Split into two filters. So that one skips the necessary attachments, the second blocks

@81packet
Copy link

81packet commented Jun 10, 2023
edited

Did you manage to solve the problem of blocking all attachments?

Unfortunly not. I don't have more ideas. I Hope someone can help with that problem.

Friends! After long and exhausting attempts, I found a solution to the problem:

require ["fileinto","reject","body","regex","notify"];
if anyof (body :raw :regex "filename=.*\.rar",
          body :raw :regex "filename=.*\.zip",
	  body :raw :regex "filename=.*\.7z",
	  body :raw :regex "filename=.*\.exe",
          body :raw :regex "filename=.*\.moo")
{
 if not anyof (body :raw :regex "filename=.*\.(jpg|jpeg|pdf|doc)")
    {
 redirect "blocked@domain.com";

@philipp-s06
Copy link

philipp-s06 commented Jun 10, 2023
edited

solution to the problem

It might work but the sender won't be notified about the blocked mail with a bad file extension.

@81packet
Copy link

solution to the problem

It might work but the sender won't be notified about the blocked mail with a bad file extension.

require ["fileinto","reject","body","regex","notify"];
if anyof (body :raw :regex "filename=.*\.rar",
          body :raw :regex "filename=.*\.zip",
	  body :raw :regex "filename=.*\.7z",
	  body :raw :regex "filename=.*\.exe",
          body :raw :regex "filename=.*\.moo")
{
 if not anyof (body :raw :regex "filename=.*\.(jpg|jpeg|pdf|doc)")
    {
 redirect "blocked@domain.com"; 
notify :low :message " Warning notify bla bla bla" :method "mailto" :options ["user@domain.com"];

@philipp-s06
Copy link

options ["user@domain.com"];

But what if the sender is not from our mailcow?

@81packet
Copy link

options ["user@domain.com"];

But what if the sender is not from our mailcow?

This is a general rule for every user. Change only the mailto address

@philipp-s06
Copy link

Mailcow says "Unexpected tag :options".

@philipp-s06
Copy link

philipp-s06 commented Jun 10, 2023
edited

I also tried that filter:
if anyof (body :raw :regex "filename=.*\.rar", body :raw :regex "filename=.*\.zip", body :raw :regex "filename=.*\.7z", body :raw :regex "filename=.*\.exe", body :raw :regex "filename=.*\.msi") { if not anyof (body :raw :regex "filename=.*\.(jpg|jpeg|pdf|docx|xlsx|pptx|gif|png|html|htm|txt|)") { reject text: bla text . ; } }

and it doesn't work... whats wrong with that hell.....

@81packet
Copy link

Mailcow says "Unexpected tag :options".

#5246 fix it

@philipp-s06
Copy link

Ok now Mailcow accepts the syntax but the filter doens't work. Mails with a .zip file are normally delivered without any notification to the sender.
I want that the Mail with a bad extension should be rejected and the sender gets a mail with a notification.

@81packet
Copy link

81packet commented Jul 20, 2023
edited

I raised another mail server with sieve support for the test, and the rule we needed normally worked there, but with mime and enotify.
Example:

require ["enotify","fileinto","mime"];
if header :contains "from" "@domain.com"
{
	fileinto "INBOX";
	stop;
}

if header :mime :anychild :param "filename" :matches "Content-Disposition" ["*.pdf","*.doc"]
{
	fileinto "INBOX";
	stop;
}

if header :mime :anychild :param "filename" :matches "content-disposition" ["*.rar","*.zip"]
{
	redirect "blocked@domain.com";
	notify :importance "3" :message "New message in blablabla..." "mailto:name@domain.com";
	stop;
}

We need to fix the problem with "mime" and "enotify" and everyone will be happy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KiwiActinidia @master2die @philipp-s06 @81packet