Hi, I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle. If there is some postfix & regexp pro on this list, please tell me what I am doing wrong. Thanx, Philipp
body_checks = regexp:/etc/postfix/body-checks # #.386 Windows 386 enhanced mode driver # /name=".*\.386"/ REJECT and so on. it's poor regex (overly matching) but I'm not to worried. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: "Philipp Snizek" <mailinglists@belfin.ch> To: <suse-security@suse.com> Sent: Thursday, October 04, 2001 1:45 PM Subject: [suse-security] postfix regexp in body_checks
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
Thanx, Philipp
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----Ursprüngliche Nachricht----- Von: Kurt Seifried [mailto:listuser@seifried.org] Gesendet: Freitag, 5. Oktober 2001 00:07 An: Philipp Snizek; suse-security@suse.com Betreff: Re: [suse-security] postfix regexp in body_checks
body_checks = regexp:/etc/postfix/body-checks
this one is in my main.cf: body_checks = regexp:/etc/postfix/bodychecks
# #.386 Windows 386 enhanced mode driver # /name=".*\.386"/ REJECT
This is the content of my /etc/postfix/bodychecks /name=".*\.bat"/ REJECT
and so on. it's poor regex (overly matching) but I'm not to worried.
but mails still go thru. Have you got any ideas? Philipp
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
----- Original Message ----- From: "Philipp Snizek" <mailinglists@belfin.ch> To: <suse-security@suse.com> Sent: Thursday, October 04, 2001 1:45 PM Subject: [suse-security] postfix regexp in body_checks
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
Thanx, Philipp
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
you didn't compile in regexp support? You didn't reload postfix? I dunno. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: "Philipp Snizek" <mailinglists@belfin.ch> To: "'Kurt Seifried'" <listuser@seifried.org>; <suse-security@suse.com> Sent: Friday, October 05, 2001 12:04 AM Subject: AW: [suse-security] postfix regexp in body_checks
-----Ursprüngliche Nachricht----- Von: Kurt Seifried [mailto:listuser@seifried.org] Gesendet: Freitag, 5. Oktober 2001 00:07 An: Philipp Snizek; suse-security@suse.com Betreff: Re: [suse-security] postfix regexp in body_checks
body_checks = regexp:/etc/postfix/body-checks
this one is in my main.cf: body_checks = regexp:/etc/postfix/bodychecks
# #.386 Windows 386 enhanced mode driver # /name=".*\.386"/ REJECT
This is the content of my /etc/postfix/bodychecks /name=".*\.bat"/ REJECT
and so on. it's poor regex (overly matching) but I'm not to worried.
but mails still go thru. Have you got any ideas?
Philipp
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
----- Original Message ----- From: "Philipp Snizek" <mailinglists@belfin.ch> To: <suse-security@suse.com> Sent: Thursday, October 04, 2001 1:45 PM Subject: [suse-security] postfix regexp in body_checks
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
Thanx, Philipp
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
you didn't compile in regexp support?
think yes. Or why would regexp work in header_checks then?
You didn't reload postfix?
oh, yes I did. Although obsolete I even restarted it with rcpostfix restart. Just to be all sure.
I dunno.
Me either. That's why I'm asking.
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
----- Original Message ----- From: "Philipp Snizek" <mailinglists@belfin.ch> To: "'Kurt Seifried'" <listuser@seifried.org>; <suse-security@suse.com> Sent: Friday, October 05, 2001 12:04 AM Subject: AW: [suse-security] postfix regexp in body_checks
-----Ursprüngliche Nachricht----- Von: Kurt Seifried [mailto:listuser@seifried.org] Gesendet: Freitag, 5. Oktober 2001 00:07 An: Philipp Snizek; suse-security@suse.com Betreff: Re: [suse-security] postfix regexp in body_checks
body_checks = regexp:/etc/postfix/body-checks
this one is in my main.cf: body_checks = regexp:/etc/postfix/bodychecks
# #.386 Windows 386 enhanced mode driver # /name=".*\.386"/ REJECT
This is the content of my /etc/postfix/bodychecks /name=".*\.bat"/ REJECT
and so on. it's poor regex (overly matching) but I'm not
to worried.
but mails still go thru. Have you got any ideas?
Philipp
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
----- Original Message ----- From: "Philipp Snizek" <mailinglists@belfin.ch> To: <suse-security@suse.com> Sent: Thursday, October 04, 2001 1:45 PM Subject: [suse-security] postfix regexp in body_checks
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
Thanx, Philipp
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Philip... you can try this one... your postfix version is high enough, then it must come from your regexp. I used to remember that the regexps below used to be shown on the postfix ml.... you just have to sort what's important for you and what is not... I don't want to prove this or that regarding one single regexp or multiple regexps and whether it's more powerfull or quicker.... do as you feel, and if you really experience performance issues, then try to put your regexp into one single line. /name=\"(.*)\.(shm|hta|pif|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|exe)\"$/ REJECT /(filename|name)=".*\.(asd|chm|dll|hlp|hta|js|ocx|pif)"/ REJECT /(filename|name)=".*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)"/ REJECT /(filename|name)="(Happy99|Navidad|prettypark)\.exe"/ REJECT /(filename|name)="(pretty park|zipped_files|flcss)\.exe"/ REJECT /(filename|name)="(Msinit|wininit|msi216)\.exe"/ REJECT /(filename|name)="(Avp_updates|Qi_test|Anti_cih)\.exe"/ REJECT /(filename|name)="(Emanuel|kmbfejkm|NakedWife)\.exe"/ REJECT /(filename|name)="(Seicho_no_ie|JAMGCJJA|Sulfnbk)\.exe"/ REJECT I hope this will help. I have tried them some time ago, and they were ok... Stephane
Hi list, Anyone know how to set up a filter for sendmail to filter and REJECT attachments like exe, bat, pif .... Tranks, Breno
On Thu, 25 Apr 2002, Breno Soares - STARIX wrote:
Anyone know how to set up a filter for sendmail to filter and REJECT attachments like exe, bat, pif ....
Use a recent sendmail version (8.11.x, better 8.12.x) with milter enabled (sendmail shipped on SuSE 7.2 and later has the milter lib enabled). See www.milter.org or i.e. http://www.roaringpenguin.com/mimedefang/ HTH best regards, Rainer Link -- Rainer Link | SuSE Linux AG - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
Hello, I just installed Inflex and it works great for exactly what you are asking for. You should definitely look into this app! Easy to install, easy to configure... What else can you ask for!! I give it 5 stars! http://pldaniels.org/inflex/ Enjoy :-) ============================================ Drew J. Como Phone: 631-434-6600 Systems Administrator Fax: 631-434-7800 dcomo@bascom.com Web: www.bascom.com Bascom Global Internet Services, Inc. -------------------------------------------- "When quality is the goal, winning is guaranteed." -----Original Message----- From: Rainer Link [mailto:link@suse.de] Sent: Thursday, April 25, 2002 2:40 PM To: Breno Soares - STARIX Cc: suse-security@suse.com Subject: Re: [suse-security] Sendmail filter On Thu, 25 Apr 2002, Breno Soares - STARIX wrote:
Anyone know how to set up a filter for sendmail to filter and REJECT attachments like exe, bat, pif ....
Use a recent sendmail version (8.11.x, better 8.12.x) with milter enabled (sendmail shipped on SuSE 7.2 and later has the milter lib enabled). See www.milter.org or i.e. http://www.roaringpenguin.com/mimedefang/ HTH best regards, Rainer Link -- Rainer Link | SuSE Linux AG - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org) -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi all, I have in main.cf this: body_checks = regexp:/etc/postfix/body_checks And in file /etc/postfix/body_checks: /filename=\".*\.(doc|xls)\.pif\"/ REJECT so, every attachment (thinking in SirCam :) ended with doc.pif or xls.pif is "Content Rejected", and it works. And working with ldap :) PostFix is great! SalU2 Agustin Philipp Snizek wrote:
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
Thanx, Philipp
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Philipp Snizek wrote:
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
I'm not a pro, but I've been testing this a while so maybe I can help you. First of all, what version of postfix do you use ?... if it's an old version, the body & header checks were not usable... tell me what is your snapshot #.
Hi Stephane, postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/bodychecks canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin daemon_directory = /usr/lib/postfix debug_peer_level = 2 default_destination_concurrency_limit = 10 default_privs = nobody inet_interfaces = all local_destination_concurrency_limit = 2 mail_name = Postfix mail_owner = postfix mail_spool_directory = /var/mail mydestination = $myhostname, localhost.$mydomain, $mydomain mydomain = belfin.reinach myhostname = mx.belfin.reinach mynetworks = 10.0.0.0/24, 127.0.0.0/8 program_directory = /usr/lib/postfix queue_directory = /var/spool/postfix relocated_maps = hash:/etc/postfix/relocated smtpd_banner = $myhostname ESMTP $mail_name smtpd_sender_restrictions = hash:/etc/postfix/access transport_maps = hash:/etc/postfix/transport virtual_maps = hash:/etc/postfix/virtual Version: 20001212-4 Version should not be an issue cause header_checks for MIME encoded mails works wonderfully (for testing it's disabled right now). For UUENCODE e-mails regexp in body_checks does not work. Philipp
-----Ursprungliche Nachricht----- Von: stephane parenton [mailto:sparenton@experia.com] Gesendet: Freitag, 5. Oktober 2001 09:37 An: Philipp Snizek Cc: suse-security@suse.com Betreff: Re: [suse-security] postfix regexp in body_checks
Philipp Snizek wrote:
Hi,
I hope I hit the right list with my request. I'm trying to
set up a filter for postfix to filter
malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
If there is some postfix & regexp pro on this list, please tell me what I am doing wrong.
I'm not a pro, but I've been testing this a while so maybe I can help you. First of all, what version of postfix do you use ?... if it's an old version, the body & header checks were not usable... tell me what is your snapshot #.
Philipp Snizek wrote:
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
i think you should look into the postfix-users archive, its discussed many times (you know that list ;) try that one: /^(.*)name\=\"(.*)\.(com|pif|vbs|vbe|exe|bat|cmd)\"$/ REJECT add more if you want... -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
try that one: /^(.*)name\=\"(.*)\.(com|pif|vbs|vbe|exe|bat|cmd)\"$/ REJECT
copy-pasted it, tried it, failed. Since all suggestions I received during the last 24 hours work in various postfix systems (mine excluded), I guess there's something else wrong. This is my testmail (UUENCODE):
From testuser@belfin.ch Fri Oct 5 12:37:56 2001 X-UIDL: XLN"!D7/"!_e\!!P]I!! Return-Path: <testuser@belfin.ch> Delivered-To: testuser@belfin.reinach Received: from client01 (unknown [10.0.0.182]) by mx.belfin.reinach (Postfix) with SMTP id B8F5B9FE32 for <testuser@belfin.reinach>; Fri, 5 Oct 2001 12:37:55 +0200 (CEST) From: "testuser" <testuser@belfin.ch> To: <testuser@belfin.reinach> Subject: WG: test Date: Fri, 5 Oct 2001 12:14:06 +0200 Message-ID: <000001c14d86$779d52c0$b600000a@belfin.reinach> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Status: U
-----Ursprungliche Nachricht----- Von: testuser [mailto:testuser@belfin.ch] Gesendet: Freitag, 5. Oktober 2001 12:12 An: testuser@belfin.reinach Betreff: test
begin 666 AUTOEXEC.BAT ` end This is my bodychecks (1 active rule): /^(.*)name\=\"(.*)\.(com|pif|vbs|vbe|exe|bat|cmd)\"$/ REJECT #/name=\"(.*)\.(shm|hta|pif|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|exe)\"$/ REJECT #/(filename|name)=".*\.(asd|chm|dll|hlp|hta|js|ocx|pif)"/ REJECT #/(filename|name)=".*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)"/ REJECT #/(filename|name)="(Happy99|Navidad|prettypark)\.exe"/ REJECT #/(filename|name)="(pretty park|zipped_files|flcss)\.exe"/ REJECT #/(filename|name)="(Msinit|wininit|msi216)\.exe"/ REJECT #/(filename|name)="(Avp_updates|Qi_test|Anti_cih)\.exe"/ REJECT #/(filename|name)="(Emanuel|kmbfejkm|NakedWife)\.exe"/ REJECT #/(filename|name)="(Seicho_no_ie|JAMGCJJA|Sulfnbk)\.exe"/ REJECT #/filename=\".*\.(doc|xls)\.pif\"/ REJECT #/filename=\".*\.bat"/ REJECT Proof that postfix reads the /etc/postfix/bodychecks (provocated error): Oct 5 12:36:11 mx postfix/cleanup[9427]: warning: /etc/postfix/bodychecks, line 13: no closing regexp delimiter: 3 What's wrong with it? Philipp
add more if you want...
-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
i think you should look into the postfix-users archive, its discussed many times (you know that list ;)
Oh yes I am. As you are too.
try that one: /^(.*)name\=\"(.*)\.(com|pif|vbs|vbe|exe|bat|cmd)\"$/ REJECT
copy-pased, reloaded postfix, sent mail, mail arrived in good shape = test failed. Tested on a different postfix system, failed as well. Think we're searching in the wrong corner. This is the mailheader of my testmail (UUENCODE):
From testuser@belfin.ch Fri Oct 5 12:37:56 2001 X-UIDL: XLN"!D7/"!_e\!!P]I!! Return-Path: <testuser@belfin.ch> Delivered-To: testuser@belfin.reinach Received: from client01 (unknown [10.0.0.182]) by mx.belfin.reinach (Postfix) with SMTP id B8F5B9FE32 for <testuser@belfin.reinach>; Fri, 5 Oct 2001 12:37:55 +0200 (CEST) From: "testuser" <testuser@belfin.ch> To: <testuser@belfin.reinach> Subject: WG: test Date: Fri, 5 Oct 2001 12:14:06 +0200 Message-ID: <000001c14d86$779d52c0$b600000a@belfin.reinach> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Status: U
-----Ursprungliche Nachricht----- Von: testuser [mailto:testuser@belfin.ch] Gesendet: Freitag, 5. Oktober 2001 12:12 An: testuser@belfin.reinach Betreff: test
begin 666 AUTOEXEC.BAT ` end thank you Philipp
Hi all, Thanx a lot for your efforts, we could solve the problem on the postfix-users list. Here's the solution: /etc/postfix/body_checks (uuencoded mails) /^begin [0-9]+ .*\.(bat|exe|cmd|scr|shb|vbs|vba|pif|dll|hlp|hta|reg|js|ocx|vxd|wsf|wsh)/ REJECT Philipp
participants (9)
-
Agustin Muñoz -
Breno Soares - STARIX -
Drew J. Como -
Info -
Kurt Seifried -
Philipp Snizek -
Rainer Link -
stephane parenton -
Sven Michels