Re: [Exim-users] mime_decoded_filename

2016-12-22 Пенетрантность Dmitry Gribanov 
очень большое спасибо, только вчера занимался с тем же самым, плюс еще 
нашел ваши старые записи об оповещении по мылу о таких письмах 

P7ZIP = /usr/local/bin/7z 
WINBIN=ace|ade|adp|bas|bat|btm|chm|cmd|com|cpl|dat|dll|exe|flv|gadget|gz|hta|ins|iso|isp|jar|js|jse|jsp|lib|lnk|mde|msc|msp|mst|msi|ocx|pif|prf|reg|scr|sct|shb|sys|tar|uue|vb|vbe|vxd|vbs|wsc|wsf|wsh|xz|z
 

COMPREXT=7z|ace|arj|bz2|gz|iso|rar|tar|uue|xz|z|zip 
check_rfc2047_length = false 
hostlist host_pass_file=192.168.0.252 

deny message = "expansion of the attached file [ $mime_filename ] is not 
allowed to send!). Please tell me" 
   log_message = forbidden attachment: filename=$mime_filename, \ 
 content-type=$mime_content_type, 
recipients=$recipients 
!hosts=+host_pass_file 
   condition = ${if or{\ 
{match{$mime_content_type}\ 
  {(?i)executable|application/x-ace-compressed}}\ 
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\ 
  }} 
continue = ${if eq{${run{/bin/sh -c "\N{\N \ 
echo Subject: \ 
'MailScan: Mail delivery failed';\ 
echo 'Content-Type: text/plain; charset=koi8-r';\ 
echo Content-Transfer-Encoding: 8bit;\ 
echo;\ 
echo '${sg{\ 
Письмо от $sender_address для $recipients\n\ 
с темой \n\ 
$h_subject \n\ 
sender_host_address=$sender_host_address \n\ 
размером ${eval:$message_size/1024} килобайт\n\ 
не доставлено, потому что имеет запрещенное вложение\n\ 
filename >> $mime_filename <<\ 
}{'}{}}';\ 
 \N}\N \ 
|/usr/local/sbin/exim -f mailnull r...@domain.ruru 
${sg{${filter{<,r...@domain.ruru}{!match{$item}{\N(^-|[^\w.=+%!@-])\N{,}{ 
}};\ 
"}}}{}{1}{1}} 

deny message = "A attachment contains a Windows-executable file - letter 
mail is stopped." 
   condition = ${if or{\ 
{match{$mime_content_type}{(?i)application/\ 
(octet-stream|x(-zip)?-compressed|zip)}}\ 
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\ 
  }} 
#   condition = ${if <{$message_size}{1500K}} 
!hosts=+host_pass_file 
   decode = default 
   log_message = forbidden binary in attachment: 
filename=$mime_filename, \ 
 recipients=$recipients 
   condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\ 
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}} 
continue = ${if eq{${run{/bin/sh -c "\N{\N \ 
echo Subject: \ 
'MailScan: Mail delivery failed';\ 
echo 'Content-Type: text/plain; charset=koi8-r';\ 
echo Content-Transfer-Encoding: 8bit;\ 
echo;\ 
echo '${sg{Письмо от $sender_address для $recipients\n\ 
с темой \n\ 
$h_subject \n\ 
sender_host_address=$sender_host_address \n\ 
размером ${eval:$message_size/1024} килобайт\n\ 
не доставлено, потому что имеет запрещенное вложение в архиве\n\ 
filename >> $mime_filename <<\ 
}{'}{}}'; \N}\N\ 
|/usr/local/sbin/exim -f mailnull r...@domain.ruru 
${sg{${filter{<,r...@domain.ruru}{!match{$item}{\N(^-|[^\w.=+%!@-])\N{,}{ 
}};\ 
/usr/local/bin/7z l $mime_decoded_filename | /usr/bin/mail -s 
'MailScan: Attachment for $recipients' root \ 
"}}}{}{1}{1}} 
accept 
___
Exim-users mailing list
Exim-users@mailground.net
http://mailground.net/mailman/listinfo/exim-users

Re: [Exim-users] mime_decoded_filename

2016-12-22 Пенетрантность gribanov dmitry 
очень большое спасибо, только вчера занимался с тем же самым, плюс еще 
нашел ваши старые записи об оповещении по мылу о таких письмах


P7ZIP = /usr/local/bin/7z
WINBIN=ace|ade|adp|bas|bat|btm|chm|cmd|com|cpl|dat|dll|exe|flv|gadget|gz|hta|ins|iso|isp|jar|js|jse|jsp|lib|lnk|mde|msc|msp|mst|msi|ocx|pif|prf|reg|scr|sct|shb|sys|tar|uue|vb|vbe|vxd|vbs|wsc|wsf|wsh|xz|z
COMPREXT=7z|ace|arj|bz2|gz|iso|rar|tar|uue|xz|z|zip
check_rfc2047_length = false
hostlist host_pass_file=192.168.0.252

deny message = "expansion of the attached file [ $mime_filename ] is not 
allowed to send!). Please tell me"

   log_message = forbidden attachment: filename=$mime_filename, \
 content-type=$mime_content_type, 
recipients=$recipients

!hosts=+host_pass_file
   condition = ${if or{\
{match{$mime_content_type}\
  {(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\
  }}
continue = ${if eq{${run{/bin/sh -c "\N{\N \
echo Subject: \
'MailScan: Mail delivery failed';\
echo 'Content-Type: text/plain; charset=koi8-r';\
echo Content-Transfer-Encoding: 8bit;\
echo;\
echo '${sg{\
Письмо от $sender_address для $recipients\n\
с темой \n\
$h_subject \n\
sender_host_address=$sender_host_address \n\
размером ${eval:$message_size/1024} килобайт\n\
не доставлено, потому что имеет запрещенное вложение\n\
filename >> $mime_filename <<\
}{'}{}}';\
 \N}\N \
|/usr/local/sbin/exim -f mailnull r...@arhshick.ru 
${sg{${filter{<,r...@arhshick.ru}{!match{$item}{\N(^-|[^\w.=+%!@-])\N{,}{ 
}};\

"}}}{}{1}{1}}

deny message = "A attachment contains a Windows-executable file - letter 
mail is stopped."

   condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
  }}
#   condition = ${if <{$message_size}{1500K}}
!hosts=+host_pass_file
   decode = default
   log_message = forbidden binary in attachment: 
filename=$mime_filename, \

 recipients=$recipients
   condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
continue = ${if eq{${run{/bin/sh -c "\N{\N \
echo Subject: \
'MailScan: Mail delivery failed';\
echo 'Content-Type: text/plain; charset=koi8-r';\
echo Content-Transfer-Encoding: 8bit;\
echo;\
echo '${sg{Письмо от $sender_address для $recipients\n\
с темой \n\
$h_subject \n\
sender_host_address=$sender_host_address \n\
размером ${eval:$message_size/1024} килобайт\n\
не доставлено, потому что имеет запрещенное вложение в архиве\n\
filename >> $mime_filename <<\
}{'}{}}'; \N}\N\
|/usr/local/sbin/exim -f mailnull r...@arhshick.ru 
${sg{${filter{<,r...@arhshick.ru}{!match{$item}{\N(^-|[^\w.=+%!@-])\N{,}{ 
}};\
/usr/local/bin/7z l $mime_decoded_filename | /usr/bin/mail -s 
'MailScan: Attachment for $recipients' root \

"}}}{}{1}{1}}
accept


21.12.2016 21:13, l...@lena.kiev.ua пишет:

Этот (возможно новый) вариант трояна ловится изменением в
одной строчке первого абзаца (а не второго где decode),
после изменения:
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\
Решение полностью:

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: 
exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
   deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
  content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
  {(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))?$\N}}\
   }}

   deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
  (octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
   }}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
  recipients