How to block password protected Word attachment

Discuss here all what concerns the MailCleaner anti-spam efficiency, share your rulesets and tips for SpamAssassin !

Moderators: FlorianB, mentor, Pascal, bourgeois

cglmicro
Posts: 231
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

How to block password protected Word attachment

Postby cglmicro » Thu Apr 06, 2017 1:11 am

Hi guys.

I receive more and more emails with .DOCX WORD document attached and the password in plain text in the email. As you know, it contain links that lead to infected ransomware, or VBS code.

How do you block these on your MailCleaners?
FlorianB
Posts: 86
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: boulot

Re: How to block password protected Word attachment

Postby FlorianB » Sat Apr 22, 2017 1:07 pm

Hello,
Is this enabled already ?
Configuration -> Content protection -> Message Format Controls -> Password protected archives : Block
As new office documents are archives it should works i suppose.
Regards,
Florian
cglmicro
Posts: 231
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: How to block password protected Word attachment

Postby cglmicro » Sun Apr 23, 2017 7:38 pm

Hi Florian.

It was ALLOW, I've set it to BLOCK and it still got through on my test no1.
I then tried to send a .7z on my test no2 that also got through.
Now I don't know why, DOCX pass-protected are effectively blocked (X-MailCleaner-SpamCheck: spam, ClamSpam (PUA.SecuriteInfo.com.Encrypted-Microsoft-document.UNOFFICIAL)), but .7z and .zip pass-protected always got through.

Any suggestion why MC is not blocking them also?
FlorianB
Posts: 86
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: boulot

Re: How to block password protected Word attachment

Postby FlorianB » Tue May 16, 2017 5:34 pm

Hello cgl,
To be honest, there is some features enabled by touching a file on MailCleaner Commercial Edition and named mc_experimentla_???
You'll find mc_experimental_docm, mc_experimental_js, etc... Directly blocking those files at SMTP level for people not afraid.
So if we release by the end of the week the beta, you'll can at least try it with a few domain soon (Both version Commercial, now called Enterprise Edition, and community called Community Edition are now merged so features will be identical).

You could directly add this to your exim_stage1.conf_template too:

Code: Select all

  ## Block .docm and .dotm in attachments and in zip/rar
  deny  message = Detected forbidden filetype (Security reasons).
        log_message = Detected forbidden filetype (Security reasons): filename=$mime_filename, recipients=$recipients.
        condition = ${if exists{/var/mailcleaner/spool/mailcleaner/mc-experimental-docm}{true}{false}}
        condition = ${if match{$mime_filename}{\N(?i)\.(zip|rar)$\N}}
        decode = default
        condition = ${if match{${run{/usr/bin/unzip -l \
                                $mime_decoded_filename}}}\
                                {\N(?i)\.(docm|dotm)\n\N}}
        set acl_c8    = smtp:relayed:virus
        set acl_c9    = STATSADD
        set acl_c8    = smtp:relayed:refused
        set acl_c9    = STATSADD

  deny  message = Detected forbidden filetype (Security reasons).
        log_message = Detected forbidden filetype (Security reasons): filename=$mime_filename, recipients=$recipients.
        condition = ${if exists{/var/mailcleaner/spool/mailcleaner/mc-experimental-docm}{true}{false}}
        condition = ${if match{$mime_filename}{\N(?i)\.(rar|zip)$\N}}
        decode = default
        condition = ${if match{${run{/usr/bin/rar lb \
                                $mime_decoded_filename}}}\
                                {\N(?i)\.(docm|dotm)\n\N}}
        set acl_c8    = smtp:relayed:virus
        set acl_c9    = STATSADD
        set acl_c8    = smtp:relayed:refused
        set acl_c9    = STATSADD

  deny message = Detected forbidden filetype (Security reasons).
        log_message = Detected forbidden filetype (Security reasons): filename=$mime_filename, recipients=$recipients.
        condition = ${if exists{/var/mailcleaner/spool/mailcleaner/mc-experimental-docm}{true}{false}}
        condition = ${if match{$mime_filename}{\N(?i)\.(docm|dotm)$\N}}
        set acl_c8    = smtp:relayed:virus
        set acl_c9    = STATSADD
        set acl_c8    = smtp:relayed:refused
        set acl_c9    = STATSADD
       
  accept


Care to delete lines "condition = ${if exists{/var/mailcleaner/spool/mailcleaner/mc-experimental-docm}{true}{false}}" or think to create this file.
You'll have to add a line like this too:

Code: Select all

acl_smtp_mime = acl_check_mime
Search for similar line for place.

Last thing i have to say: Exim embedded in actual Edition and Community one is 4.84.1 or previous if i remember well. This is 0.00.1 version before the version correcting the bug with this Mime ACL causing some segmentation fault of Exim. So if you enable this, you should remember three things:
1) There will be segmentation faults in logs
2) As far as we know, no mails are losts, simply sometimes delayed (minutes) depending of mime presence and encoding
3) Exim scans folders will not be cleaned correctly and will grow so put a crontask to manage this each 4 hours.

OR wait for the release ;-) Seriously, it will come with all those little things and Exim 4.88.

Regards,
Florian

Return to “Filter efficiency”

Who is online

Users browsing this forum: No registered users and 0 guests