Re: Mail content filtering
On Wednesday 20 Jul 2005 13:38, Ms Linuz wrote:
> TreeBoy wrote:
> >I can recommend MailScanner.
> >
> >Plays nicely with Exim, Sendmail or Postfix.
> >
> >Cheers,
>
> Sorry for not very well explained to what I really wanted.
> What I want is to detect attachment and do control action to it.
> Action can be deleting, renaming, etc. And it should have
> abilities with compressed file too.
>
> --w.h--
>
>
> Send instant messages to your online friends
> http://asia.messenger.yahoo.com
This is precisely what MailScanner does. (It also integrates with SpanAssassin
and the anti-virus software of your choice.
I use it at each of my clients to filter out any executable, batch, cpl, mdb,
etc file that comes through. (Basically I only allow DOC, SXW etc.
It's marvellous - these are the relevant files for my home setup (which I
think are the defaults).
Cheers,
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete, then regular expression, then log text,
# then user report text.
#
# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages
# JKF 04/01/2005 More Microsoft security vulnerabilities
deny \.bmp$ Windows bitmap file security vulnerability Possible buffer overflow in Windows
deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows
deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows
deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows
deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows
# These are some well known viruses.
deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus
deny happy99\.exe$ "Happy" virus "Happy" virus
deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus
deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus
deny your_.*\.zip "W32/SoBig.E" virus "W32/SoBig" virus
deny message\.zip "W32/Mimail.A" virus "W32/Mimail" virus
# These are known to be mostly harmless.
allow \.jpg$ - -
allow \.gif$ - -
# .url is arguably dangerous, but I can't just ban it...
allow \.url$ - -
allow \.vcf$ - -
allow \.txt$ - -
allow \.zip$ - -
allow \.t?gz$ - -
allow \.bz2$ - -
allow \.Z$ - -
allow \.rpm$ - -
# PGP and GPG
allow \.gpg$ - -
allow \.pgp$ - -
allow \.sit$ - -
allow \.asc$ - -
# Macintosh archives
allow \.hqx$ - -
allow \.sit.bin$ - -
allow \.sea$ - -
# These are known to be dangerous in almost all cases.
deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email
deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email
# See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info.
deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email
deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email
deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email
deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email
deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email
deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack
deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email
deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email
deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email
deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email
deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email
deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email
deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email
deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email
deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email
# These are new dangerous attachment types according to Microsoft in
# http://support.microsoft.com/?kbid=883260
deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260
deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260
# These 2 added by popular demand - Very often used by viruses
deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email
# These are very dangerous and have been used to hide viruses
deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses
deny \.bat$ Possible malicious batch file script Batch files are often malicious
deny \.cmd$ Possible malicious batch file script Batch files are often malicious
deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses
deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora
# Deny filenames ending with CLSID's
deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type
# Deny filenames with lots of contiguous white space in them.
deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it
# Allow repeated file extension, e.g. blah.zip.zip
allow (\.[a-z0-9]{3})\1$ - -
# Deny all other double file extensions. This catches any hidden filenames.
deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension
#
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete, then regular expression, then log text,
# then user report text.
#
allow text - -
allow script - -
allow archive - -
allow postscript - -
deny self-extract No self-extracting archives No self-extracting archives allowed
deny ELF No executables No programs allowed
deny executable No executables No programs allowed
#deny MPEG No MPEG movies No MPEG movies allowed
#deny AVI No AVI movies No AVI movies allowed
#deny MNG No MNG/PNG movies No MNG movies allowed
#deny QuickTime No QuickTime movies No QuickTime movies allowed
#deny ASF No Windows media No Windows media files allowed
deny Registry No Windows Registry entries No Windows Registry files allowed
Reply to: