Re: Block "exe" in attachment.
On Thu, 14 Nov 2013 18:44:05 +0100, Benny Pedersen wrote: > Antony Stone skrev den 2013-11-14 10:38: > >> Or MailScanner. > > or stop using a computer where exe files can be used :) +1
Re: what is that number at the beginning of .cf files signify?
On 11/14/2013 4:04 PM, Benny Pedersen wrote: Kevin A. McGrail skrev den 2013-11-14 21:43: I believe you want this information: http://wiki.apache.org/spamassassin/RuleFilenameConventions .pm part is not correct, since its entirely up to the pre files to load what is needed even with files not ending in .pm :) but use .pm for perl module files does not hurt either I think we'll leave it as "have to end in .pm" and if you get it to work without doing so, more power to you ;-)
Re: what is that number at the beginning of .cf files signify?
Kevin A. McGrail skrev den 2013-11-14 21:43: I believe you want this information: http://wiki.apache.org/spamassassin/RuleFilenameConventions .pm part is not correct, since its entirely up to the pre files to load what is needed even with files not ending in .pm :) but use .pm for perl module files does not hurt either
Re: what is that number at the beginning of .cf files signify?
Rob McEwen skrev den 2013-11-14 21:13: what is that number at the beginning of .cf files signify? Does that impact SA's actual operation? Or is that just for human organization of files (how they sort when browsing them)? When adding a custom-written .cf file that is made available to the public, should some kind of naming convention be followed, even if just for etiquette? local configs would make most sense to name 99_filename.cf so all other rules is loaded before custom configs, eg if config in 99_filename.cf uses clear_something then other configs is discarded sa is loading files in top down order based on filenames maybe its needed for some rules to be in zz_something.cf to be really last loaded just remember to have pre files loadplugins and not do it in cf files
Re: what is that number at the beginning of .cf files signify?
On 11/14/2013 3:13 PM, Rob McEwen wrote: what is that number at the beginning of .cf files signify? Does that impact SA's actual operation? Or is that just for human organization of files (how they sort when browsing them)? When adding a custom-written .cf file that is made available to the public, should some kind of naming convention be followed, even if just for etiquette? I believe you want this information: http://wiki.apache.org/spamassassin/RuleFilenameConventions Regards, KAM
what is that number at the beginning of .cf files signify?
what is that number at the beginning of .cf files signify? Does that impact SA's actual operation? Or is that just for human organization of files (how they sort when browsing them)? When adding a custom-written .cf file that is made available to the public, should some kind of naming convention be followed, even if just for etiquette? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: Block "exe" in attachment.
David F. Skoll skrev den 2013-11-14 18:56: > Some statistics: On our main scanning cluster on 2013-11-13, we > blocked 176,668 messages with EXE files in zip files. ClamAV only > detected 4,610 viruses. and foxhole rules wont change that ? Possibly... haven't tested them because I already have a solution. i like to see if it does possible also a mua used that does not put [AT] chars in body content
Re: Block "exe" in attachment.
Henrik K skrev den 2013-11-14 16:49: Funny that the thread is mostly anything other than SA.. ;-) +1 I guess I have to create a "Zipinfo" plugin for SA, had that in mind for a while.. and possible use some idears from extracttext plugin ? hands up if you make it
Re: Block "exe" in attachment.
On Thu, 14 Nov 2013 18:54:45 +0100 Benny Pedersen wrote: > > Some statistics: On our main scanning cluster on 2013-11-13, we > > blocked 176,668 messages with EXE files in zip files. ClamAV only > > detected 4,610 viruses. > and foxhole rules wont change that ? Possibly... haven't tested them because I already have a solution. Regards, David.
Re: Block "exe" in attachment.
David F. Skoll skrev den 2013-11-14 14:57: Some statistics: On our main scanning cluster on 2013-11-13, we blocked 176,668 messages with EXE files in zip files. ClamAV only detected 4,610 viruses. and foxhole rules wont change that ? stats are stats, real life is real problem :=)
Re: Block "exe" in attachment.
Kamaldeep Singh skrev den 2013-11-14 10:46: Thanks for information. But I have written one rule to block exe file. Like if someone sends an email with attached exe file. It won't send. It's display an error like "this attached file is blacklisted". this is using amavisd imho if you see this Is there any rule we can write so that we can blacklist the zip/tar files which contains "exe" file. foxhole rule in clamav unpack and match if there is any exe file matching this rule file, so its not just there is a zip/tar attachment, hope i have not lost you here you cant make this done in spamassassin entirely yet since spamassassin does not unpack
Re: Block "exe" in attachment.
Robert Schetterer skrev den 2013-11-14 10:46: http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html who will show a milter-reqex conf that does it ? i just dont want postfix to be a content scanner
Re: Block "exe" in attachment.
On 11/14/2013 06:42 PM, Benny Pedersen wrote: Sanesecurity skrev den 2013-11-14 12:40: i created another one for html attachment i see no risk in this rule :) # junc.filename.cdb junc.filename.1:CL_TYPE_MAIL:*:.html$:*:*:*:*:*:* if it is, change cdb to cdu ClamAV list is >> [there]
Re: Block "exe" in attachment.
Antony Stone skrev den 2013-11-14 10:38: Or MailScanner. or stop using a computer where exe files can be used :)
Re: Block "exe" in attachment.
Sanesecurity skrev den 2013-11-14 12:40: i created another one for html attachment i see no risk in this rule :) # junc.filename.cdb junc.filename.1:CL_TYPE_MAIL:*:.html$:*:*:*:*:*:* if it is, change cdb to cdu
Re: Block "exe" in attachment.
Kamaldeep Singh skrev den 2013-11-14 10:28: We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. irelevant :) I just want to know, Is it possible to block the "exe" file with attached zip/tar file. http://sanesecurity.com/usage/signatures/ the foxhole rule is just for that
Re: Block "exe" in attachment.
On Thu, 14 Nov 2013, Axb wrote: On 11/14/2013 10:38 AM, Antony Stone wrote: On Thursday 14 November 2013 at 10:32:06, Olivier Nicole wrote: > > I just want to know, Is it possible to block the "exe" file with > > attached zip/tar file. > You may consider using amavisd. Or MailScanner. or Fuglu (http://www.fuglu.org/) or the Sanitizer: https://www.impsec.org/email-tools/procmail-security.html -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...for a nation to tax itself into prosperity is like a man standing in a bucket and trying to lift himself up by the handle. -- Winston Churchill --- 532 days since the first successful private support mission to ISS (SpaceX)
Re: Block "exe" in attachment.
David F. Skoll wrote > In my experience, ClamAV has become completely useless as a practical > way to stop viruses. The viruses encrypt and mutate themselves much > too quickly for ClamAV to keep up. I believe many commercial virus > scanners are in the same boat. So we just block executables, whether > directly attached or embedded in zip files. Agreed, that why I added the following databases... foxhole_generic.cdb, which blocks dangerous *double* extensions, without blocking single exe's or go the whole hog and use: foxhole_all.cdb, which blocks dangerous extensions The above tactic can be done in other ways, but some people have found it useful using ClamAV For less the aggressive... rouge.hdb, is updated hourly (at the moment) with malware hashes of received malware emails phish.ndb, contains simple filename heuristics for some malware. Anyway, wrong list for ClamAV stuff, so I'll be off ;) Cheers, Steve Sanesecurity.com -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Block-exe-in-attachment-tp107195p107209.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Block "exe" in attachment.
On 11/14/2013 04:49 PM, Henrik K wrote: On Thu, Nov 14, 2013 at 10:37:12AM -0500, Kevin A. McGrail wrote: On 11/14/2013 8:57 AM, David F. Skoll wrote: Some statistics: On our main scanning cluster on 2013-11-13, we blocked 176,668 messages with EXE files in zip files. ClamAV only detected 4,610 viruses. Regards, David. Continuing that vein, statistically, in the past 60 days, on one server we blocked 60061 attachments using MIMEDefang. We had PERHAPS 5 or 6 requests to get the quarantined files. Out of those requests at least 50% were requests for 0-day malware. Can't recommend enough that MD is a great product to mix into an anti-spam ecosytem though we also use McAfee, ClamAV and Symantec products as well in the mix with minimal false positives so they are very useful to hammer things definitively but things definitely get by them. Funny that the thread is mostly anything other than SA.. ;-) I guess I have to create a "Zipinfo" plugin for SA, had that in mind for a while.. or a one liner in a ClamV .cdb sig file :)
Re: Block "exe" in attachment.
On Thu, Nov 14, 2013 at 10:37:12AM -0500, Kevin A. McGrail wrote: > On 11/14/2013 8:57 AM, David F. Skoll wrote: > >Some statistics: On our main scanning cluster on 2013-11-13, we > >blocked 176,668 messages with EXE files in zip files. ClamAV only > >detected 4,610 viruses. Regards, David. > Continuing that vein, statistically, in the past 60 days, on one > server we blocked 60061 attachments using MIMEDefang. We had > PERHAPS 5 or 6 requests to get the quarantined files. Out of those > requests at least 50% were requests for 0-day malware. > > Can't recommend enough that MD is a great product to mix into an > anti-spam ecosytem though we also use McAfee, ClamAV and Symantec > products as well in the mix with minimal false positives so they are > very useful to hammer things definitively but things definitely get > by them. Funny that the thread is mostly anything other than SA.. ;-) I guess I have to create a "Zipinfo" plugin for SA, had that in mind for a while..
Re: Heads up, yahoo server on some blacklists!
On 11/13/2013 5:51 PM, Noel Butler wrote: On 14/11/2013 11:14, Ted Mittelstaedt wrote: On 11/12/2013 1:39 PM, Noel Butler wrote: On 13/11/2013 04:38, jpff wrote: Perhaps on account of all the spam coming out of yahoo? I see far more trash coming out of gmail, yet they never seem to list them... Yeah, well when your the 600 pound Gorilla you can sit where you want... Not as far as I'm concerned, I have before and I will no doubt again, 'take em out' I don't care who they are, ma 'n pa small VISP, or largest ISP or freemail providor on earth, exceed our tolerances and your out for a spell. People who go on about "oh but look at the ratio of users you have to judge by that', pigs arse I will, if for example 50 people regularly send spam from gmail, I'll block all gmail without hesitation. why? because the tossers at google dont act on spam reports, and your response pretty much sums up why they dont act. When you have users paying you for mailboxes, who can't get email from their correspondents at gmail because you have blocked them, you have a problem. That's why with everything, we tag-and-forward, we don't block. Ted However, this discussion is best for MailOps, not SA
Re: Block "exe" in attachment.
On 11/14/2013 8:57 AM, David F. Skoll wrote: Some statistics: On our main scanning cluster on 2013-11-13, we blocked 176,668 messages with EXE files in zip files. ClamAV only detected 4,610 viruses. Regards, David. Continuing that vein, statistically, in the past 60 days, on one server we blocked 60061 attachments using MIMEDefang. We had PERHAPS 5 or 6 requests to get the quarantined files. Out of those requests at least 50% were requests for 0-day malware. Can't recommend enough that MD is a great product to mix into an anti-spam ecosytem though we also use McAfee, ClamAV and Symantec products as well in the mix with minimal false positives so they are very useful to hammer things definitively but things definitely get by them. Regards, KAM
Re: Block "exe" in attachment.
On Thu, 14 Nov 2013 15:16:13 +0530 Kamaldeep Singh wrote: > Is there any rule we can write so that we can blacklist the zip/tar > files which contains "exe" file. You most likely need to do it outside of SpamAssassin. I use MIMEDefang (naturally enough... I wrote it) and if an email has a zip attachement, I run "zipinfo" to extract the names of the members of the zip file and reject anything with an EXE, COM, SCR or BAT file in the zip. Running "zipinfo -1 filename.zip" lists all the archive members, even if the zip is encrypted... luckily for us, zip file encryption only encrypts file contents, not the file names. In my experience, ClamAV has become completely useless as a practical way to stop viruses. The viruses encrypt and mutate themselves much too quickly for ClamAV to keep up. I believe many commercial virus scanners are in the same boat. So we just block executables, whether directly attached or embedded in zip files. Some statistics: On our main scanning cluster on 2013-11-13, we blocked 176,668 messages with EXE files in zip files. ClamAV only detected 4,610 viruses. Regards, David.
Re: Block "exe" in attachment.
Kamaldeep Singh wrote > We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. > > I just want to know, Is it possible to block the "exe" file with > attached zip/tar file. If you are using ClamAV you can add-on Third-Party Sanesecurity databases: Foxhole databases (different levels of default blocking in attachments): http://sanesecurity.com/foxhole-databases/ Other anti-malware databases: (phish.ndb/rogue.hdb especially) http://sanesecurity.com/usage/signatures/ Cheers, Steve Sanesecurity.com -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Block-exe-in-attachment-tp107195p107203.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Block "exe" in attachment.
On Thursday 14 November 2013 03:02 PM, Olivier Nicole wrote: SpamAssassin does not block anything. It could eventually mark that some attachment is an exe file, but that's all. On 14.11.13 15:16, Kamaldeep Singh wrote: Thanks for information. But I have written one rule to block exe file. Like if someone sends an email with attached exe file. It won't send. It's display an error like "this attached file is blacklisted". Is there any rule we can write so that we can blacklist the zip/tar files which contains "exe" file. as it was already said - not with spamassassin. This is not what spamassassin is for. You apparently can create a plugin that will scan .ziop attachments and score them, but that has nothing with rejection. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: Block "exe" in attachment.
Hi all! On Don, 2013-11-14 at 10:46 +0100, Robert Schetterer wrote: > Am 14.11.2013 10:43, schrieb Axb: > > On 11/14/2013 10:38 AM, Antony Stone wrote: > >> On Thursday 14 November 2013 at 10:32:06, Olivier Nicole wrote: [...] > I just want to know, Is it possible to block the "exe" file > with attached zip/tar file. > >>> > >>> SpamAssassin does not block anything. It could eventually mark > >>> that some attachment is an exe file, but that's all. > >> > >> Agreed. > >> > >>> You may consider using amavisd. > >> > >> Or MailScanner. > > > > or Fuglu (http://www.fuglu.org/) > > or like this > > http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html Or MIMEDefang. Kind regards, Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at
Re: Block "exe" in attachment.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 14.11.2013 10:43, schrieb Axb: > On 11/14/2013 10:38 AM, Antony Stone wrote: >> On Thursday 14 November 2013 at 10:32:06, Olivier Nicole wrote: >> >>> Hi, >>> We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. I just want to know, Is it possible to block the "exe" file with attached zip/tar file. >>> >>> SpamAssassin does not block anything. It could eventually mark >>> that some attachment is an exe file, but that's all. >> >> Agreed. >> >>> You may consider using amavisd. >> >> Or MailScanner. > > or Fuglu (http://www.fuglu.org/) or like this http://www.cyberciti.biz/tips/postfix-block-mime-attachment-files.html Best Regards MfG Robert Schetterer - -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJShJvgAAoJEP8jBObu0LlEAKUH/iYOLU0zlJLpbJtEkysAUvkL ThPmKEstP2X5RETry8HPs+9mD7+IZ6QO9ZZZXfCUzs4B7pjpJxBDuMVWQNIABnis cpvMuVIBQj5cysPavLmcynD3RzEH01XlrId2ego8riH8KzqzPBuF2Mo6bkOvp+vX 53BsqnZh8vlYzIupg9l0yiOPd8FRXqSQRBAhKk1sacAfiESC7Q5GiSDEhnov8+Mj MyGNYptdy24bpekzqpgGDJUH7PjET9EU4cGzRiVpwid+ObOzjWhXNd3iMUg+iSvS C1ufomNfxzcxICaeFBUTkq3qCHJ3egtHz/3ETuYPa4pOb/OMODK/6M5gUT1ZhOU= =dTmQ -END PGP SIGNATURE-
Re: Block "exe" in attachment.
Hi Olivier, Thanks for information. But I have written one rule to block exe file. Like if someone sends an email with attached exe file. It won't send. It's display an error like "this attached file is blacklisted". Is there any rule we can write so that we can blacklist the zip/tar files which contains "exe" file. Regards, Kamaldeep Singh On Thursday 14 November 2013 03:02 PM, Olivier Nicole wrote: Hi, We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. I just want to know, Is it possible to block the "exe" file with attached zip/tar file. SpamAssassin does not block anything. It could eventually mark that some attachment is an exe file, but that's all. You may consider using amavisd. bestregards, Olivier -- Regards Kamaldeep Singh B.E. (C.S.E) Red Hat Certified Engineer (RHCE) System Administrator For And On Behalf Of: Technology Blueprint Ltd 23 Clemens Street Royal Leamington Spa Warwickshire CV31 2DW E: kamald...@techblue.co.uk
Re: Block "exe" in attachment.
On 11/14/2013 10:38 AM, Antony Stone wrote: On Thursday 14 November 2013 at 10:32:06, Olivier Nicole wrote: Hi, We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. I just want to know, Is it possible to block the "exe" file with attached zip/tar file. SpamAssassin does not block anything. It could eventually mark that some attachment is an exe file, but that's all. Agreed. You may consider using amavisd. Or MailScanner. or Fuglu (http://www.fuglu.org/)
Re: Block "exe" in attachment.
On Thursday 14 November 2013 at 10:32:06, Olivier Nicole wrote: > Hi, > > > We are using SpamAssassin of version 3.3.1 running on Perl version > > 5.10.1. > > > > I just want to know, Is it possible to block the "exe" file with > > attached zip/tar file. > > SpamAssassin does not block anything. It could eventually mark that some > attachment is an exe file, but that's all. Agreed. > You may consider using amavisd. Or MailScanner. Regards, Antony. -- This sentence contains exactly threee erors. Please reply to the list; please don't CC me.
Re: Block "exe" in attachment.
Hi, > We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. > > I just want to know, Is it possible to block the "exe" file with > attached zip/tar file. SpamAssassin does not block anything. It could eventually mark that some attachment is an exe file, but that's all. You may consider using amavisd. bestregards, Olivier
Block "exe" in attachment.
Hi, We are using SpamAssassin of version 3.3.1 running on Perl version 5.10.1. I just want to know, Is it possible to block the "exe" file with attached zip/tar file. -- Regards Kamaldeep Singh B.E. (C.S.E) Red Hat Certified Engineer (RHCE) System Administrator For And On Behalf Of: Technology Blueprint Ltd 23 Clemens Street Royal Leamington Spa Warwickshire CV31 2DW E: kamald...@techblue.co.uk