My users have been getting more phishing e-mails lately and I've decided to implement some additional restrictions to block the majority of this crap from reaching them. (I'm already using several layers of spam-blocking techniques, though no true spam filter. For the past few weeks, I've been blacklisting IPs, almost exclusively from asian countries, that try to hack into my server via brute-force methods - this has also reduced the amount of crap we get as well, proving that the same people trying to guess passwords are also a source of spam. Not that this has much to do with the trouble I've encountered... just found it to be an interesting factoid.) Most of these restrictions will be in the form of body checks, looking for URLs that match those that we have already received. I know this is a reactive measure, meaning that I must receive a bad message in order to block similar ones in the future, but I've had bad experiences with spam filters generating false positives in the past and want to avoid this at all costs. I set up a special account for people to forward fakes to so that I can update the filters regularly.
I'm trying to configure Postfix to block any messages that have an executable attachment with a header check. Currently, I have two rules implemented that I found online that are supposed to achieve this effect, but neither seems to work as I'm still able to send a message with an EXE attached. (This message is then bounced back to the sender by amavisd, but I'd really like to eliminate the bounce and just prevent the message from being accepted to begin with.)
I verified that the header checks are working by adding a rule to bounce a message with 'Please bounce this message' as the subject. My guess right now is that the regular expressions that determine the attachment name are not registering a hit with the message I sent.
Relevant lines from postconf -n:
header_checks:
mime_header_checks:
The source of one of the messages I sent with an EXE attached:
Can anybody see where I've screwed up? I admit that I don't entirely understand regular expressions and basically cut & pasted the samples I've found. I can decipher some of what's going on, but don't know the full syntax.
Also, given that it's missing the attachment that Thunderbird is sending and on the assumption that these rules DO work when other clients send attachments, is this even something that can be done effectively?
I'm trying to configure Postfix to block any messages that have an executable attachment with a header check. Currently, I have two rules implemented that I found online that are supposed to achieve this effect, but neither seems to work as I'm still able to send a message with an EXE attached. (This message is then bounced back to the sender by amavisd, but I'd really like to eliminate the bounce and just prevent the message from being accepted to begin with.)
I verified that the header checks are working by adding a rule to bounce a message with 'Please bounce this message' as the subject. My guess right now is that the regular expressions that determine the attachment name are not registering a hit with the message I sent.
Relevant lines from postconf -n:
Code:
header_checks = regexp:/usr/local/etc/postfix/header_checks
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
header_checks:
Code:
/^Date: .* 19[0-9][0-9]/ REJECT Please update your computer clock and try again. SHC01
/^Date: .* 200[0-9]/ REJECT Please update your computer clock and try again. SHC02
/^Subject: Please bounce this message/ REJECT Rule working... SHC42
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|<bunch more here>|ex[_e]|<bunch more>|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed. SHC03
/name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT We do not allow files of type "$3" because of security concerns - "$2" caused the block. SHC03
/^Bel-Tracking: .*/ REJECT Confirmed spam header found- go away. SHC04
/^Hel-Tracking: .*/ REJECT Confirmed spam header found- go away. SHC05
/^Kel-Tracking: .*/ REJECT Confirmed spam header found- go away. SHC06
/^BIC-Tracking: .*/ REJECT Confirmed spam header found- go away. SHC07
/^Lid-Tracking: .*/ REJECT Confirmed spam header found- go away. SHC08
/^X-Mailer: 0001/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC09
/^X-Mailer: Avalanche/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC10
/^X-Mailer: Crescent Internet Tool/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC11
/^X-Mailer: DiffondiCool/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC12
/^X-Mailer: E-Mail Delivery Agent/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC13
/^X-Mailer: Emailer Platinum/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC14
/^X-Mailer: Entity/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC15
/^X-Mailer: Extractor/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC16
/^X-Mailer: Floodgate/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC17
/^X-Mailer: GOTO Software Sarbacane/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC18
/^X-Mailer: MailWorkz/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC19
/^X-Mailer: MassE-Mail/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC20
/^X-Mailer: MaxBulk.Mailer/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC21
/^X-Mailer: News Breaker Pro/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC22
/^X-Mailer: SmartMailer/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC23
/^X-Mailer: StormPort/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC24
/^X-Mailer: SuperMail-2/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program. SHC25
mime_header_checks:
Code:
/^name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block. SHC03
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|<bunch more here>|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed
The source of one of the messages I sent with an EXE attached:
Code:
From - Tue Feb 16 16:31:31 2010
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
Message-ID: <4B7B0EAC.2090001@mydomain.com>
Date: Tue, 16 Feb 2010 16:31:24 -0500
From: Me <myaddress@mydomain.com>
User-Agent: Thunderbird 1.5.0.9 (X11/20061206)
MIME-Version: 1.0
To: Me Two <mysecondaryaddress@mydomain.com>
Subject: Test 6
Content-Type: multipart/mixed;
boundary="------------030903020106050306070302"
This is a multi-part message in MIME format.
--------------030903020106050306070302
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
EXE attached
--------------030903020106050306070302
Content-Type: application/octet-stream;
name="vncviewer.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="vncviewer.exe"
TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAIAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<continued>
Can anybody see where I've screwed up? I admit that I don't entirely understand regular expressions and basically cut & pasted the samples I've found. I can decipher some of what's going on, but don't know the full syntax.
Also, given that it's missing the attachment that Thunderbird is sending and on the assumption that these rules DO work when other clients send attachments, is this even something that can be done effectively?