Page 1 of 1
quarantine and release banned file types
Posted: 20 Jun 2016 12:21
by ovizii
I have modified mailscanner to quarantine viruses and other banned content type as to avoid false positives. users have no access to release on their own so there is little risk.
I now have a user who received a binary Excel sheet, consisting of a .xlsb and a workbook.bin file. The .bin file was blocked as
Code: Select all
MailScanner: No programs allowed (workbook.bin) ,MailScanner: No programs allowed (workbook.bin)
workbook.bin application/octet-stream; charset=binary
When I release the complete email with all attachments it gets filtered again for the same reason so it seems banned file types have precedence before white lists. Any idea how to do this?
Re: quarantine and release banned file types
Posted: 21 Jun 2016 07:33
by ovizii
Solution a) I found a forum containing this suggestion:
Code: Select all
Change MailScanner.conf line:
Scan Messages = yes
to:
Scan Messages = %rules-dir%/scan.messages.rules
Example scan.messages.rules: (which is located in /etc/MailScanner/rules
in my case)
From: 10.1.10.1 no
From: 10.1.10.2 no
From: 10.10. no
From: 10.2.10. no
FromOrTo: *@domain.com no
FromOrTo: default yes
sounds like I could insert "from: 127.0.0.1 no" which would do nothing to emails originating locally?
Solution b) Alternatively, do what they suggest in the FAQ:
http://docs.mailwatch.org/using/faq.html
Code: Select all
Set the following in /etc/Mailscanner/Mailscanner.conf:
Filename Rules = %etc-dir%/filename.rules
Filetype Rules = %etc-dir%/filetype.rules
Dangerous Content Scanning = %rules-dir%/content.scanning.rules
Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules
Then the following files should be set-up as follows:
filename.rules
From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf
FromOrTo: default /etc/MailScanner/filename.rules.conf
filetype.rules
From: 127.0.0.1 /etc/MailScanner/filetype.rules.allowall.conf
FromOrTo: default /etc/MailScanner/filetype.rules.conf
content.scanning.rules
From: 127.0.0.1 no
FromOrTo: default yes
spam.whitelist.rules
From: 127.0.0.1 yes
FromOrTo: default no
filename.rules.allowall.conf
allow .* - -
filetype.rules.allowall.conf
allow .* - -
b) looks better but would mean completely messing around with the default EFA configs. Would this be something that could be implemented in a future version?
Re: quarantine and release banned file types
Posted: 21 Jun 2016 07:38
by ovizii
Need some help here, I went with Solution a)
Code: Select all
Scan Messages = %rules-dir%/scan.messages.rules
nano /etc/MailScanner/rules/scan.messages.rules
From: 127.0.0.1 no
FomOrTo: default yes
and released an email to my own email and it worked just fine.
So I then tried to release this email to the original recipient and it got caught again. What am I doing wrong here? This doesn't make any sense to me, both emails orignated on 127.0.0.1
- efa-.png (17.88 KiB) Viewed 8599 times
Re: quarantine and release banned file types
Posted: 21 Jun 2016 07:50
by ovizii
The log files for these two emails, the one that went through the other one which got filtered. Any ideas why they get fitlered differently when they both come from 127.0.0.1?
Code: Select all
[root@jacob spamassassin]# grep -i '2665510090C' /var/log/maillog
Jun 21 09:30:58 jacob postfix/pickup[16232]: 2665510090C: uid=48 from=<postmaster@ict-consult.co.za>
Jun 21 09:30:58 jacob postfix/cleanup[16850]: 2665510090C: hold: header Received: by jacob.ict-consult.co.za (Postfix, from userid 48)??id 2665510090C; Tue, 21 Jun 2016 09:30:58 +0200 (CEST) from local; from=<postmaster@ict-consult.co.za> to=<ovidiu@ict-consult.co.za>
Jun 21 09:30:58 jacob postfix/cleanup[16850]: 2665510090C: message-id=<841F6D868E439A4FBEB1028D84E4E8542A1B9075@ZAAFHVMMB02.af.hcnet.biz>
Jun 21 09:30:58 jacob MailScanner[16255]: Requeue: 2665510090C.A32C3 to 2F28810024A
Jun 21 09:30:58 jacob MailScanner[16255]: Logging message 2665510090C.A32C3 to SQL
Jun 21 09:30:58 jacob MailScanner[16248]: 2665510090C.A32C3: Logged to MailWatch SQL
Code: Select all
[root@jacob spamassassin]# grep -i '4A3CE10090C' /var/log/maillog
Jun 21 09:31:49 jacob postfix/pickup[16232]: 4A3CE10090C: uid=48 from=<postmaster@ict-consult.co.za>
Jun 21 09:31:49 jacob postfix/cleanup[16850]: 4A3CE10090C: hold: header Received: by jacob.ict-consult.co.za (Postfix, from userid 48)??id 4A3CE10090C; Tue, 21 Jun 2016 09:31:49 +0200 (CEST) from local; from=<postmaster@ict-consult.co.za> to=<pierre@client-domain.tld>
Jun 21 09:31:49 jacob postfix/cleanup[16850]: 4A3CE10090C: message-id=<841F6D868E439A4FBEB1028D84E4E8542A1B9075@ZAAFHVMMB02.af.hcnet.biz>
Jun 21 09:31:49 jacob MailScanner[26487]: Filetype Checks: No executables (4A3CE10090C.A8659 workbook.bin)
Jun 21 09:31:54 jacob MailScanner[26487]: <A> tag found in message 4A3CE10090C.A8659 from postmaster@ict-consult.co.za
Jun 21 09:31:54 jacob MailScanner[26487]: HTML Img tag found in message 4A3CE10090C.A8659 from postmaster@ict-consult.co.za
Jun 21 09:31:54 jacob MailScanner[26487]: Saved entire message to /var/spool/MailScanner/quarantine/20160621/4A3CE10090C.A8659
Jun 21 09:31:54 jacob MailScanner[26487]: Saved infected "S0P842_1Audit.xlsb" to /var/spool/MailScanner/quarantine/20160621/4A3CE10090C.A8659
Jun 21 09:31:54 jacob MailScanner[26487]: Saved infected "workbook.bin" to /var/spool/MailScanner/quarantine/20160621/4A3CE10090C.A8659
Jun 21 09:31:54 jacob MailScanner[26487]: Message 4A3CE10090C.A8659 from 127.0.0.1 (postmaster@ict-consult.co.za) is whitelisted
Jun 21 09:31:54 jacob MailScanner[17081]: Found phishing fraud from http://www.newcastlemc.co.za/ claiming to be www.mediclinic.co.za in 4A3CE10090C.A8659
Jun 21 09:31:54 jacob MailScanner[26487]: Content Checks: Detected and have disarmed phishing tags in HTML message in 4A3CE10090C.A8659 from postmaster@ict-consult.co.za
Jun 21 09:31:54 jacob MailScanner[26487]: Logging message 4A3CE10090C.A8659 to SQL
Jun 21 09:31:54 jacob MailScanner[16248]: 4A3CE10090C.A8659: Logged to MailWatch SQL
Re: quarantine and release banned file types
Posted: 22 Jun 2016 13:09
by shawniverson
I am not sure what is going on here in your setup...
I will spin up an instance and see if I can reproduce the issue based on the info you have posted.
Re: quarantine and release banned file types
Posted: 22 Jun 2016 13:12
by ovizii
thanks.
the only thing I can add is:
a) after making my changes I only did a /etc/init.d/Mailscanner reload and not a restart
b) it seems like when I release an email with banned content to an alternate recipient, even though I still type in the exact same original recipient it works (releasing without filtering again)
Re: quarantine and release banned file types
Posted: 24 Aug 2017 12:09
by rongten
Hello,
not to beat a dead horse, but recently I started to have the same issue: a released email with bad content (i.e. fine.name.pdf) would be blocked again. I think I did not change anything in the settings, maybe an automatic update to 3.0.2.2 or 3.0.2.3?
Changing Scan Messages in Mailscanner.conf from yes to %rules-dir%/content.scanning.rules (a file already existing, not created by me) with a reload of Mailscanner seems to have fixed the issue, at least for now.