mail with javascript in an html file to alert1@ourcharity still is stripping the attachment: [spam found] bad attachment 'Weekly Summary Repor.html' cause: 'Java script - possibly (ransomware) virus'
Shouldn't the line ale...@ourcharity.org => good => .* allow anything through? for reference, the userattach I'm using # Template for all of our bad extensions, allow harmless MSOLE ~TmplStdBlockExts => exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk # RULE that blocks bad extensions, based on the template ~~RuleStdBlocks => block ~TmplStdBlockExts # all users by default have the StdBlockRuleApplied # this would be overridden by a longer user part of the definition # longest userpart wins. NO inheritance *@*=> ~~RuleStdBlocks # scan compressed files too, same template except --bin to allow newer Office files which include bin files zip:*@* => block => ~TmplStdBlockExts|--bin # Some users allowed to get office macros no matter who they're from except...@ourcharity.org => block => ~TmplStdBlockExts|:MSOM # Allow some from outside orgs to send office macros to anyone *@External.org => block => ~TmplStdBlockExts|:MSOM # Allow some to send PDF's with javascript in them *@OtherExternal.org => block => ~TmplStdBlockExts|:JSPDF # Some alert only emails are unfiltered ale...@ourcharity.org => good => .* On Sat, Jan 12, 2019 at 1:49 PM K Post <nntp.p...@gmail.com> wrote: > Analyzer knows if the extension matches the UserAttach, could it also see > if the file type based on detection would match UserAttach (including the > :MSOM type of exceptions)? > > Does my UserAttach example seem logical to you? > > thanks > > On Sat, Jan 12, 2019 at 3:15 AM Thomas Eckardt <thomas.ecka...@thockar.com> > wrote: > >> >*So, I guess the request is to add something to analyze for each file >> to say:* >> FILE: whatever.ext would be stripped >> >or >> FILE: whatever.ext would be allowed >> >> >> >> This is the same like for every check made by the analyzer. The analyzer >> is unable to "know", if a mail would be blocked or not - it only knows >> current matching results. If a mail is in real processing, checks and their >> results depends on other checks and internal flags. The analyzer makes >> checks independend from other results or flags. >> >> Thomas >> >> >> >> Von: "K Post" <nntp.p...@gmail.com> >> An: "ASSP development mailing list" < >> assp-test@lists.sourceforge.net> >> Datum: 11.01.2019 18:26 >> Betreff: [Assp-test] UserAttach Revisited >> ------------------------------ >> >> >> >> Templating in UserAttach is great. Allows for the granular settings that >> we (unfortunately) require, with a simplicity of management >> >> 2 requests: >> 1) Review this UserAttach config to confirm there's no blaring errors or >> recommendations >> 2) Change analyze report to better indicate if a file will be stripped or >> allowed >> >> My current UserAttach configuration: >> >> # Template for all of our bad extensions, allow harmless MSOLE >> ~TmplStdBlockExts => >> exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk >> >> # RULE that blocks bad extensions, based on the template >> ~~RuleStdBlocks => block ~TmplStdBlockExts >> >> # all users by default have the StdBlockRuleApplied >> # this would be overridden by a longer user part of the definition >> # longest userpart wins. NO inheritance >> *@*=> ~~RuleStdBlocks >> >> # scan compressed files too, same template except --bin to allow newer >> Office files which include bin files >> zip:*@* => block => ~TmplStdBlockExts|--bin >> >> # Some users allowed to get office macros no matter who they're from >> except...@ourcharity.org => block => ~TmplStdBlockExts|:MSOM >> >> # Allow some from outside orgs to send office macros to anyone >> *@External.org => block => ~TmplStdBlockExts|:MSOM >> >> # Allow some to send PDF's with javascript in them >> *@OtherExternal.org => block => ~TmplStdBlockExts|:JSPDF >> >> # Some alert only emails are unfiltered >> *ale...@ourcharity.org* <ale...@ourcharity.org> => good => .* >> >> Analyze: >> I sent 2 test inbound emails from an external domain, both with an office >> macro XLS file. One was to except...@ourcharity.org the other to >> noexcept...@ourcharity.org. *This worked as expected* (yay!), the file >> was stripped from NoException@ and it did come through to Exception@ as >> I had hoped. >> >> In analyze however, it's not clear that this is the case: >> >> analyze of a mail to a regular address where the file was stripped: >> • attachment WithMacro.xls is or contains an executable - MS Office Macro >> (see UserAttach) * [[ YUP, and it was blocked ]]* >> • ZIP: t...@outsidedomain.com -> *NoException*@OurCharity.org => block >> => >> exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk >> (see UserAttach) >> • ZIP: t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' >> rule found for compressed attachments (see UserAttach) >> • extension : WithMacro.xls passed UserAttach *[[Yes, but it was blocked >> because MSOM was detected ]]* >> • t...@outsidedomain.com -> noexcept...@ourcharity.org => block => >> exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk >> • t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' rule >> found >> *Could we change Analyze to show that the attachment will be stripped. >> The extension passed, but the macro makes it fail.* >> >> analyze of the email with the matching exception: >> • attachment WithMacro.xls is or contains an executable - MS Office Macro >> (see UserAttach) *[ yes, but allowed due to the MSOM exception for this >> user]* >> • ZIP: t...@outsidedomain.com -> except...@ourcharity.org => block => >> exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk >> (see UserAttach) >> • ZIP: t...@outsidedomain.com -> except...@ourcharity.org => no 'good' >> rule found for compressed attachments (see UserAttach) >> • extension : WithMacro.xls passed UserAttach >> • t...@outsidedomain.com -> except...@ourcharity.org => block => >> exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|*:MSOM >> * >> • t...@outsidedomain.com -> except...@ourcharity.org => no 'good' rule >> found >> No easily discernible difference from the analyze report that shows the >> same file being blocked unless you happen to catch the MSOM exception at >> the end of the consolidated rule (bold added for emphasis) >> >> *So, I guess the request is to add something to analyze for each file to >> say:* >> FILE: whatever.ext would be stripped >> or >> FILE: whatever.ext would be allowed >> That would make testing changes to UserAttach much easier by analyzing >> previous messages. >> >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
