Re: [Mimedefang] filter_bad_filename based on recipient

2016-09-19 Thread Marcus Schopen 
Am Montag, den 19.09.2016, 08:57 -0400 schrieb Dianne Skoll:
> On Mon, 19 Sep 2016 14:48:16 +0200
> Marcus Schopen  wrote:
> 
> > is it possible to define $bad_exts in sub filter_bad_filename based on
> > domain name? I'd like to filter ".docm"-attachments, but not globally
> > for all domains on that server, just for my private domain. Seems to
> > be that $recipient is not known in sub filter_bad_filename?
> 
> The sample filter is just a sample... all the information is available
> for you in various global variables and/or parameters passed to the
> various filter functions.  However, you do need to be fairly comfortable
> programming in Perl to make the sort of adjustment you seek; you can start
> by reading the mimedefang-filter man page.

Thanks, I will give my very best. My mimedefang setup is basically very
vanilla, expect of md_check_against_smtp_server checks and some other
small changes in mimedefang-filter.

Ciao
Marcus


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter_bad_filename based on recipient

2016-09-19 Thread Benoit Panizzon 
Hi

> is it possible to define $bad_exts in sub filter_bad_filename based on
> domain name? I'd like to filter ".docm"-attachments, but not globally
> for all domains on that server, just for my private domain. Seems to
> be that $recipient is not known in sub filter_bad_filename?

Sure it is. You have to store the recipient domain into a file in the working 
directory first. I use
'storable' to do this.

Beware, you have an array of recipients when sub filter{} is called.

So if you have different settings per domain, you have to make sure you only 
accept one domain per connection.

You can use this error code within filter recipient to reject recipients in 
other domains:

return ('TEMPFAIL', "We only accept one domains at the time, please resend this
domain separately", 452, '4.5.3');

452 4.5.3 is the code for 'too many recipients' causing most mailservers out 
there in the wild
(well all of which I know of) to immediately open a new connection and re 
submit the email to the remaining recipients
causing only little delays.


sub filter {
my($entity, $fname, $ext, $type) = @_;
my $vars=_vars();

[...]

if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);

_stats($vars->{rec_domain},'bad_filename',$vars->{imp_rcpt_count}-1);
action_bounce("Unsafe attachment / Verdaechtiger Anhang (exe in zip 
oder bekannter Anhang mit Malware");
return;
}

[...]

}

sub filter_bad_filename  {
my($entity) = @_;
my($bad_exts, $re, $suspicious_exts);
my $vars=_vars();

$bad_exts = '';
$suspicious_exts = 
'(zip|exe|ini|ocx|com|msi|scr|sys|vb|vbe|vbs|cab|arj|rar|z7|bat|doc|docx|xls|xlsx)';

if (defined($vars->{imp_mxgate})) {
my $query = "select extension from forbidden_file_extensions join 
relay_domains on relay_domains.id=forbidden_file_extensions.relay_domain_id 
where domain=?";
my $sth = $dbh->prepare($query);
$sth->execute($vars->{rec_domain});
if ($sth->rows > 0) {
my @badextlist;
while (my $badextref = $sth->fetchrow_hashref()) {
push(@badextlist,$badextref->{'extension'});
}
$bad_exts = '(' . join ('|',@badextlist) . ')';
md_syslog('warning',"DEBUG: Loaded banned extensions for 
MX-Gate " . $vars->{rec_domain} . ": $bad_exts");
}
}

$re = '\.' . $bad_exts . '\.*$';

if (re_match($entity, $re)) {
md_syslog('warning',"Attached file banned by MX-Gate settings");
return 1;
}

# And if you like you can compute MD5 hashes of suspicious files and compare 
them to a database with informations about an ongoing outbreak or a DNS Based 
MD5 Blacklist:
# Yes I know Diane will tell me that the filename could potentially not
# be correctly found with "Content-Disposition.filename" but it works in most 
cases.

$re = '\.' . $suspicious_exts . '\.*$';
if (re_match($entity, $re)) {
my $bh = $entity->bodyhandle();
my $head = $entity->head;
my $filename = $head->mime_attr("Content-Disposition.filename");
$filename = decode_mimewords($filename);
if (defined($bh)) {
my $path = $bh->path();
my $fsize = (stat $path)[7];
if (defined($path)) {
open(FILE, $path) or return 0;
binmode(FILE);
my $dnsdigest = 
Digest::MD5->new->addfile(*FILE)->hexdigest;
md_syslog('warning',"Suspicious File:$filename 
Size:$fsize WDir:$path MD5:$dnsdigest");
close(FILE);
#   my $res = Net::DNS::Resolver->new;
#   my $dnsquery = $res->search("$dnsdigest.banned. 
DISCONTINUED .");
#   if (defined($dnsquery)) {
#   foreach my $rr ( $dnsquery->answer ) {
#   next unless $rr->type eq "A";
#   md_syslog('warning',"Suspicious File: 
$path MD5 atthash blacklist hit");
#   return 1;
#   }
#   } else {
#   if ( !$res->errorstring =~ /NXDOMAIN/ ) {
#   md_syslog('error',"MD5 atthash 
BLACKLIST DNS ERROR: " . $res->errorstring);
#   }
#   }
}
}
}


# And of course you want to look into ZIP Files:

# Look inside ZIP files
$re = '\.' . $suspicious_exts . '\.*$';
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
md_syslog('warning',"Looking for executable file in zip file 
$path");
$bad_exts =

Re: [Mimedefang] filter_bad_filename based on recipient

2016-09-19 Thread Dianne Skoll 
On Mon, 19 Sep 2016 14:48:16 +0200
Marcus Schopen  wrote:

> is it possible to define $bad_exts in sub filter_bad_filename based on
> domain name? I'd like to filter ".docm"-attachments, but not globally
> for all domains on that server, just for my private domain. Seems to
> be that $recipient is not known in sub filter_bad_filename?

The sample filter is just a sample... all the information is available
for you in various global variables and/or parameters passed to the
various filter functions.  However, you do need to be fairly comfortable
programming in Perl to make the sort of adjustment you seek; you can start
by reading the mimedefang-filter man page.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav-unofficial-sigs and pyzor

2016-09-19 Thread Marcus Schopen 
Am Montag, den 19.09.2016, 08:36 -0400 schrieb Dianne Skoll:
> On Mon, 19 Sep 2016 07:46:11 +0200
> Marcus Schopen  wrote:
> 
> > my be a little bit off topic, but are there any experience with the
> > efficiency of pyzor and clamav-unofficial-sigs [1].
> 
> No comment on pyzor because I don't use it, but some of the
> clamav-unofficial-sigs are useful.  We use the following data sets:
> 
>phish.ndb
>rogue.hdb
>sanesecurity.ftm
>winnow_malware.hdb
>winnow_malware_links.ndb
> 
> We find the others have unacceptably-high false-positive rates, and
> even the ones above occasionally get a bad signature that produces annoying
> false-positives.

Dianne and Richard, thanks for your feedback! I will get those a try.

Ciao
Marcus


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav-unofficial-sigs and pyzor

2016-09-19 Thread Richard Laager 
On 09/19/2016 01:48 AM, Marcus Schopen wrote:
> Did you activate all signatures
> or just e.g. sanesecurity sigs? I read activating all signatures turns
> clamav into an evil memory monster, while only activating sanesecurity
> sigs catches most and doesn't need that much resources.

I don't adjust the defaults. I don't use anything that requires signing
up. I just looked into those, but they're for non-commercial use, which
is why they require a sign-up.

> What about pyzor or razor integration? Do they help or just burn
> performance?

I think I tried Pyzor a long time ago and found it worthless, but I have
no idea what it's like now.

We have Razor enabled. Historically, that's been very effective, though
I haven't actually double-checked recently.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav-unofficial-sigs and pyzor

2016-09-19 Thread Marcus Schopen 
Hi Richard,

Am Montag, den 19.09.2016, 01:23 -0500 schrieb Richard Laager:
> On 09/19/2016 12:46 AM, Marcus Schopen wrote:
> > my be a little bit off topic, but are there any experience with the
> > efficiency of pyzor and clamav-unofficial-sigs
> 
> We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for
> us, regardless of whether it was a virus or spam rule. We do
> differentiate them for logging and SMTP rejection messages.
> 
> I can't say how much spam would have been blocked anyway by later
> processing (e.g. SpamAssassin), but we have very few (but non-zero over
> the years) false positives. And in our filter, whitelisting does not
> bypass this test; maybe it should, but that's the current setup.

Thank you for your interesting feedback. Did you activate all signatures
or just e.g. sanesecurity sigs? I read activating all signatures turns
clamav into an evil memory monster, while only activating sanesecurity
sigs catches most and doesn't need that much resources.

What about pyzor or razor integration? Do they help or just burn
performance?

Ciao
Marcus



___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav-unofficial-sigs and pyzor

2016-09-19 Thread Richard Laager 
On 09/19/2016 12:46 AM, Marcus Schopen wrote:
> my be a little bit off topic, but are there any experience with the
> efficiency of pyzor and clamav-unofficial-sigs

We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for
us, regardless of whether it was a virus or spam rule. We do
differentiate them for logging and SMTP rejection messages.

I can't say how much spam would have been blocked anyway by later
processing (e.g. SpamAssassin), but we have very few (but non-zero over
the years) false positives. And in our filter, whitelisting does not
bypass this test; maybe it should, but that's the current setup.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang