>So, I guess the request is to add something to analyze for each file to 
say:
FILE: whatever.ext would be stripped 
>or
FILE: whatever.ext would be allowed



This is the same like for every check made by the analyzer. The analyzer 
is unable to "know", if a mail would be blocked or not - it only knows 
current matching results. If a mail is in real processing, checks and 
their results depends on other checks and internal flags. The analyzer 
makes checks independend from other results or flags.

Thomas



Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  11.01.2019 18:26
Betreff:        [Assp-test] UserAttach Revisited



Templating in UserAttach is great.  Allows for the granular settings that 
we (unfortunately) require, with a simplicity of management

2 requests:
1) Review this UserAttach config to confirm there's no blaring errors or 
recommendations
2) Change analyze report to better indicate if a file will be stripped or 
allowed

My current UserAttach configuration:

# Template for all of our bad extensions, allow harmless MSOLE
~TmplStdBlockExts => 
exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk

# RULE that blocks bad extensions, based on the template
~~RuleStdBlocks => block ~TmplStdBlockExts

# all users by default have the StdBlockRuleApplied
# this would be overridden by a longer user part of the definition
# longest userpart wins.  NO inheritance
*@*=> ~~RuleStdBlocks

# scan compressed files too, same template except --bin to allow newer 
Office files which include bin files
zip:*@* => block => ~TmplStdBlockExts|--bin

# Some users allowed to get office macros no matter who they're from
except...@ourcharity.org => block => ~TmplStdBlockExts|:MSOM    

# Allow some from outside orgs to send office macros to anyone
*@External.org => block => ~TmplStdBlockExts|:MSOM    

# Allow some to send PDF's with javascript in them
*@OtherExternal.org => block => ~TmplStdBlockExts|:JSPDF

# Some alert only emails are unfiltered
ale...@ourcharity.org => good => .*

Analyze:
I sent 2 test inbound emails from an external domain, both with an office 
macro XLS file.  One was to except...@ourcharity.org the other to 
noexcept...@ourcharity.org.  This worked as expected (yay!), the file was 
stripped from NoException@ and it did come through to Exception@ as I had 
hoped.

In analyze however, it's not clear that this is the case:

analyze of a mail to a regular address where the file was stripped:
• attachment WithMacro.xls is or contains an executable - MS Office Macro 
(see UserAttach)  [[ YUP, and it was blocked ]]
• ZIP: t...@outsidedomain.com -> noexcept...@ourcharity.org => block => 
exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk
 
(see UserAttach)
• ZIP: t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' 
rule found for compressed attachments (see UserAttach)
• extension : WithMacro.xls passed UserAttach [[Yes, but it was blocked 
because MSOM was detected ]]
• t...@outsidedomain.com -> noexcept...@ourcharity.org => block => 
exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk
• t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' rule 
found
Could we change Analyze to show that the attachment will be stripped.  The 
extension passed, but the macro makes it fail.

analyze of the email with the matching exception:
• attachment WithMacro.xls is or contains an executable - MS Office Macro 
(see UserAttach) [ yes, but allowed due to the MSOM exception for this 
user]
• ZIP: t...@outsidedomain.com -> except...@ourcharity.org => block => 
exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk
 
(see UserAttach)
• ZIP: t...@outsidedomain.com -> except...@ourcharity.org => no 'good' 
rule found for compressed attachments (see UserAttach)
• extension : WithMacro.xls passed UserAttach 
• t...@outsidedomain.com -> except...@ourcharity.org => block => 
exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|
:MSOM     
• t...@outsidedomain.com -> except...@ourcharity.org => no 'good' rule 
found
No easily discernible difference from the analyze report that shows the 
same file being blocked unless you happen to catch the MSOM exception at 
the end of the consolidated rule (bold added for emphasis)

So, I guess the request is to add something to analyze for each file to 
say:
FILE: whatever.ext would be stripped 
or
FILE: whatever.ext would be allowed
That would make testing changes to UserAttach much easier by analyzing 
previous messages.


          _______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to