All I want to do is block zip files


#1

Why is it so hard to find a package that will reliably do so?

This claims to be a zip file, it actually contains malware, as analyzed by virustotal and a local av package.
NS is has been set to block Executables and Archives, Antivirus is turned on. At one time this install did block zip files.

Sep 2 05:30:19 server9b amavis[2402]: (02402-18) Passed CLEAN {RelayedInbound}, [194.250.240.99]:53778 [24.164.142.172] bfortson@ginnchevy.com -> email@email.com, Message-ID: 1992822.48681441197018969.JavaMail.root@gateway.domain.local, mail_id: onSERivXRXHk, Hits: -, size: 27329, queued_as: 08EA7E0F26, 10336 ms

https://www.virustotal.com/en/file/6947f11ad383a3a88096914081e542e1197b603b09899abbf91649a19b3b4ef2/analysis/1441211524/

I never could get Zentyal to reliably block zips and now, It seems, neither will Nethserver.
Is there something I’m not understanding here?


#2

Hi,

You must install the proxy and the web content filter module.

In the web content filter, in the general tab ( the default one) you find the “List of blocked file extension”


#3

What?
Are you serious?
Then what the hell is all this?

Aug  2 06:06:38 server9b amavis[25341]: starting. /usr/sbin/amavisd at server9b.domain.local amavisd-new-2.9.1 (20140627), Unicode aware, LANG="en_US.UTF-8"

Aug 2 06:06:39 server9b amavis[25342]: Net::Server: Group Not Defined. Defaulting to EGID '494 493 494’
Aug 2 06:06:39 server9b amavis[25342]: Net::Server: User Not Defined. Defaulting to EUID '494’
Aug 2 06:06:39 server9b amavis[25342]: Module Amavis::Conf 2.321
Aug 2 06:06:39 server9b amavis[25342]: Module Archive::Zip 1.30
Aug 2 06:06:39 server9b amavis[25342]: Module Compress::Raw::Zlib 2.021
Aug 2 06:06:39 server9b amavis[25342]: Module Compress::Zlib 2.021
Aug 2 06:06:39 server9b amavis[25342]: Module Crypt::OpenSSL::RSA 0.25
Aug 2 06:06:39 server9b amavis[25342]: Module DB_File 1.82
Aug 2 06:06:39 server9b amavis[25342]: Module Digest::MD5 2.39
Aug 2 06:06:39 server9b amavis[25342]: Module Digest::SHA 5.47
Aug 2 06:06:39 server9b amavis[25342]: Module Encode 2.35
Aug 2 06:06:39 server9b amavis[25342]: Module File::Temp 0.22
Aug 2 06:06:39 server9b amavis[25342]: Module IO::Socket::INET6 2.56
Aug 2 06:06:39 server9b amavis[25342]: Module MIME::Entity 5.427
Aug 2 06:06:39 server9b amavis[25342]: Module MIME::Parser 5.427
Aug 2 06:06:39 server9b amavis[25342]: Module MIME::Tools 5.427
Aug 2 06:06:39 server9b amavis[25342]: Module Mail::DKIM::Verifier 0.37
Aug 2 06:06:39 server9b amavis[25342]: Module Mail::Header 2.04
Aug 2 06:06:39 server9b amavis[25342]: Module Mail::Internet 2.04
Aug 2 06:06:39 server9b amavis[25342]: Module Mail::SPF v2.008
Aug 2 06:06:39 server9b amavis[25342]: Module Mail::SpamAssassin 3.003001
Aug 2 06:06:39 server9b amavis[25342]: Module Net::DNS 0.65
Aug 2 06:06:39 server9b amavis[25342]: Module Net::Server 0.99
Aug 2 06:06:39 server9b amavis[25342]: Module NetAddr::IP 4.027
Aug 2 06:06:39 server9b amavis[25342]: Module Razor2::Client::Version 2.84
Aug 2 06:06:39 server9b amavis[25342]: Module Scalar::Util 1.21
Aug 2 06:06:39 server9b amavis[25342]: Module Socket 1.82
Aug 2 06:06:39 server9b amavis[25342]: Module Socket6 0.23
Aug 2 06:06:39 server9b amavis[25342]: Module Time::HiRes 1.9721
Aug 2 06:06:39 server9b amavis[25342]: Module URI 1.40
Aug 2 06:06:39 server9b amavis[25342]: Module Unix::Syslog 1.1
Aug 2 06:06:39 server9b amavis[25342]: Amavis::ZMQ code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: Amavis::DB code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: SQL base code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: SQL::Log code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: SQL::Quarantine NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: Lookup::SQL code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: Lookup::LDAP code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: AM.PDP-in proto code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: SMTP-in proto code loaded
Aug 2 06:06:39 server9b amavis[25342]: Courier proto code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: SMTP-out proto code loaded
Aug 2 06:06:39 server9b amavis[25342]: Pipe-out proto code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: BSMTP-out proto code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: Local-out proto code loaded
Aug 2 06:06:39 server9b amavis[25342]: OS_Fingerprint code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: ANTI-VIRUS code loaded
Aug 2 06:06:39 server9b amavis[25342]: ANTI-SPAM code loaded
Aug 2 06:06:39 server9b amavis[25342]: ANTI-SPAM-EXT code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: ANTI-SPAM-C code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: ANTI-SPAM-SA code loaded
Aug 2 06:06:39 server9b amavis[25342]: Unpackers code loaded
Aug 2 06:06:39 server9b amavis[25342]: DKIM code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: Tools code NOT loaded
Aug 2 06:06:39 server9b amavis[25342]: Found $file at /usr/bin/file
Aug 2 06:06:39 server9b amavis[25342]: Found $altermime at /usr/bin/altermime
Aug 2 06:06:39 server9b amavis[25342]: Internal decoder for .mail
Aug 2 06:06:39 server9b amavis[25342]: Internal decoder for .asc
Aug 2 06:06:39 server9b amavis[25342]: Internal decoder for .uue
Aug 2 06:06:39 server9b amavis[25342]: Internal decoder for .hqx
Aug 2 06:06:39 server9b amavis[25342]: Internal decoder for .ync
Aug 2 06:06:39 server9b amavis[25342]: Found decoder for .F at /usr/bin/unfreeze
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .Z at /usr/bin/gzip -d
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .gz at /usr/bin/gzip -d
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .lzo at /usr/bin/lzop -d
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .rpm at /usr/bin/rpm2cpio
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .cpio at /usr/bin/pax
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .tar at /usr/bin/pax
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .deb at /usr/bin/ar
Aug 2 06:06:40 server9b amavis[25342]: Internal decoder for .zip
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .7z at /usr/bin/7za
Aug 2 06:06:40 server9b amavis[25342]: No ext program for .rar, tried: rar, unrar
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .arj at /usr/bin/arj
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .arc at /usr/bin/nomarch
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .zoo at /usr/bin/unzoo
Aug 2 06:06:40 server9b amavis[25342]: No ext program for .lha, tried: lha
Aug 2 06:06:40 server9b amavis[25342]: No ext program for .doc, tried: ripole
Aug 2 06:06:40 server9b amavis[25342]: Found decoder for .cab at /usr/bin/cabextract
Aug 2 06:06:40 server9b amavis[25342]: No ext program for .tnef, tried: tnef
Aug 2 06:06:40 server9b amavis[25342]: Internal decoder for .tnef
Aug 2 06:06:40 server9b amavis[25342]: No ext program for .exe, tried: rar, unrar
Aug 2 06:06:40 server9b amavis[25342]: No decoder for .doc
Aug 2 06:06:40 server9b amavis[25342]: No decoder for .exe
Aug 2 06:06:40 server9b amavis[25342]: No decoder for .lha
Aug 2 06:06:40 server9b amavis[25342]: No decoder for .rar
Aug 2 06:06:40 server9b amavis[25342]: Using primary internal av scanner code for ClamAV-clamd
Aug 2 07:09:19 server9b queue/smtpd[25512]: connect from localhost[127.0.0.1]


(Filippo Carletti) #4
config show amavisd

I have:

BlockAttachmentClassList=Exec
BlockAttachmentCustomList=pif,zip

Both exe and zip file are blocked.
See my /var/log/maillog, I think this is the same file you received that was blocked here:

Sep  2 12:19:56 nethservice amavis[15496]: (15496-17) p.path BANNED:1 filippo.carletti@nethesis.it: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/x-zip-compressed,T=zip,N=orderAbshire Lodge.zip | P=p004,L=1/2/1,T=exe,T=exe-ms,N=orderSophia Pine.exe", matching_key="(?-xism:(?mix-s:(?#CLASS Exec) ^ (.*\t)? (T=|N=([^\134.]+\134.)+)(exe|exe-ms|vb[es]?|ws[cfh]|ms[cipt]|pif|scr|sct|bat|cmd|com|cpl|dll|jse?|inf) (\t.*)? $))"

If you show us more of your config, we could find the mistake.


#5

amavisd=service
AdminNotificationStatus=disabled
AvailableDecoders=mail,asc,uue,hqx,ync,F,Z,gz,bz2,lzo,rpm,cpio,tar,deb,zip,7z,rar,arj,arc,zoo,lha,doc,cab,tnef,exe
BlockAttachmentClassList=Exec,Arch
BlockAttachmentCustomList=doc,odt
BlockAttachmentCustomStatus=disabled
BlockAttachmentStatus=enabled
EnabledDecoders=mail,asc,uue,hqx,ync,F,Z,gz,bz2,lzo,rpm,cpio,tar,deb,zip,7z,rar,arj,arc,zoo,lha,doc,cab,tnef,exe
MaxProcesses=4
RecipientWhiteList=
SenderBlackList=
SenderWhiteList=
SpamCheckStatus=disabled
SpamDsnLevel=20
SpamKillLevel=15.0
SpamSubjectPrefixStatus=disabled
SpamSubjectPrefixString=SPAM
SpamTag2Level=5.0
SpamTagLevel=2.0
TCPPorts=
VirusCheckStatus=enabled
status=enabled


#6

Where is the attached list used by Archives? I thought I remembered seeing it somewhere in the forums or documentation a while back but now when I look through the admin and dev docs I don’t see where the file location is.

Also @filippo_carletti is it necessary, as @Jim stated, to have proxy and web content filter installed?


(Gabriel GHEORGHIU) #7

Hello,

I think you want to block attachments from e-mails.
To do that, you must enable “Archives” in Email -> Filter.


#8

That is selected and has been from day one, also you can see that it is selected in my previous post of the amavisd config.


(Filippo Carletti) #9

My config is similar, both should block exe inside zip files.
Can you find the maillog line where the mail has been received and analyzed?

The web proxy is not related to email filter.
An exe inside a zip is blocked as an exe, so there’s no need to enable archive block (but it doesn’t hurt).
The idea is: I do NOT want exe through emails, so amavisd tries to detect exe in every possible way, inside zip, inside rar etc.


#10

Isn’t that the line I posted in the original post?


(Filippo Carletti) #11

Oops, sorry. I’m experimenting with amavisd logging levels and I have more details in my logs.
Could you save the email in eml format, zip it protecting with a password and send it to me?


#12

Sep 2 05:30:07 server9b transfer/smtpd[5618]: connect from c2faf063.fsp.oleane.fr[194.250.240.99]
Sep 2 05:30:08 server9b transfer/smtpd[5618]: NOQUEUE: client=c2faf063.fsp.oleane.fr[194.250.240.99]
Sep 2 05:30:19 server9b queue/smtpd[5623]: connect from localhost[127.0.0.1]
Sep 2 05:30:19 server9b queue/smtpd[5623]: 08EA7E0F26: client=localhost[127.0.0.1], orig_client=c2faf063.fsp.oleane.fr[194.250.240.99]
Sep 2 05:30:19 server9b postfix/cleanup[5624]: 08EA7E0F26: message-id=1992822.48681441197018969.JavaMail.root@gateway.domain.local
Sep 2 05:30:19 server9b postfix/qmgr[19484]: 08EA7E0F26: from=bfortson@ginnchevy.com, size=27782, nrcpt=1 (queue active)
Sep 2 05:30:19 server9b queue/smtpd[5623]: disconnect from localhost[127.0.0.1]
Sep 2 05:30:19 server9b amavis[2402]: (02402-18) Passed CLEAN {RelayedInbound}, [194.250.240.99]:53778 [24.164.142.172] bfortson@ginnchevy.com -> email@email.com, Message-ID: 1992822.48681441197018969.JavaMail.root@gateway.domain.local, mail_id: onSERivXRXHk, Hits: -, size: 27329, queued_as: 08EA7E0F26, 10336 ms
Sep 2 05:30:19 server9b transfer/smtpd[5618]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 08EA7E0F26; from=bfortson@ginnchevy.com to=email@email.com proto=ESMTP helo=<ginnchevy.com>
Sep 2 05:30:19 server9b dovecot: lmtp(5641): Connect from local
Sep 2 05:30:19 server9b dovecot: lmtp(5641, jim): ETCzA9vr5lUJFgAAYcTBPg: sieve: msgid=1992822.48681441197018969.JavaMail.root@gateway.domain.local: stored mail into mailbox 'INBOX’
Sep 2 05:30:19 server9b delivery/lmtp[5626]: 08EA7E0F26: to=email@server9b.email.com, orig_to=email@email.com, relay=server9b.email.com[/var/run/dovecot/lmtp], delay=0.09, delays=0.01/0/0.01/0.07, dsn=2.0.0, status=sent (250 2.0.0 email@server9b.email.com ETCzA9vr5lUJFgAAYcTBPg Saved)
Sep 2 05:30:19 server9b dovecot: lmtp(5641): Disconnect from local: Client quit (in reset)
Sep 2 05:30:19 server9b postfix/qmgr[19484]: 08EA7E0F26: removed
Sep 2 05:30:19 server9b transfer/smtpd[5618]: disconnect from c2faf063.fsp.oleane.fr[194.250.240.99]


#13

Well, it was a zero day, but now it isn’t, and I’ve completely lost control of it in the network because the gateway av and the clients are now blocking it at every turn.
Unfortunately, I’ve already spent a few hours this morning researching and digging around about this email and I just can’t spend any more time on it today, I have to address other outstanding issues, I’ll have to address this failure to block zip files another time.
This is just too frustrating.


(Artem Fedai) #14

Please clarify what do you want to achive? Not to block ZIP? Or mark it as SPAM?


#15

The title of the thread isn’t clear?


#16

This was passed through the gateway’s av, marked as spam by the gateway, accepted and filed away by NS, then filtered to junk by a filtering email client.

https://www.virustotal.com/en/file/6947f11ad383a3a88096914081e542e1197b603b09899abbf91649a19b3b4ef2/analysis/1441216584/

It is now, after about 5 hours, being classified as a trojan and is now being blocked by the av component of the gateway.


(Alessio Fattorini) #17

You have four people who are trying to help you, so please be polite and respectful :wink:


#18

Ummmmmm…

ok.


#19

I try to post enough detail to make the issue clear without being overwhelming, but I have to repeat it again and agian because no one has time to read what I originally posted.
I get conflicting ‘advice’.

And I will point out that almost every post I’ve read by Nas is… I will say brusque, and he’s asking me what the very title of the post says.

… and here you are, criticizing my manners.

I really don’t belong here.

I will offer my sincere Thanks to @filippo_carletti though.


(Artem Fedai) #20

one sec , i should have dinner :slight_smile:
i write you Custom Template