Discussion:
Score on attachments
Max Kipness
2014-06-27 15:06:42 UTC
Permalink
Hi,

I've asked this before, but never got an answer and thought I would give
it another shot.

I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is setup
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct. But
nothing else was triggered. I'm looking at some type of custom rule, but
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on the
fact that the message was caught by MailScanner with an attachment
warning.

Any ideas?

Thanks,
Max
Paul A Sand
2014-06-27 15:35:50 UTC
Permalink
Post by Max Kipness
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is setup
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct. But
nothing else was triggered. I'm looking at some type of custom rule, but
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on the
fact that the message was caught by MailScanner with an attachment
warning.
It?s been awhile since I looked at this, but I was under the impression
that this was covered by normal, uncustomized, rules:

1) MailScanner.conf has

Filename Rules = %etc-dir%/filename.rules.conf

2) filename.rules.conf has

deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses

But you say that everything is set up correctly, so I?m almost certainly
missing something.
--
-- Paul A Sand <pas at unh.edu>
-- Information Technology / University of New Hampshire
-- http://pubpages.unh.edu/~pas
-- No electrons were harmed in the transmission of this message.
Alex Neuman
2014-06-27 17:07:31 UTC
Permalink
It may be possible that he's skipping scanning on certain users out of
convenience, but opening the door to trojans in the process.



*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789
Skype: AlexNeuman

Don't miss Vida Digital on LiveStream
<http://new.livestream.com/accounts/5061819>!
Saturdays 8am-10am on 104.3FM Panama

Follow *@AlexNeuman <https://twitter.com/alexneuman>* on Twitter
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube
Post by Paul A Sand
Post by Max Kipness
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is setup
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct. But
nothing else was triggered. I'm looking at some type of custom rule, but
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on the
fact that the message was caught by MailScanner with an attachment
warning.
It?s been awhile since I looked at this, but I was under the impression
1) MailScanner.conf has
Filename Rules = %etc-dir%/filename.rules.conf
2) filename.rules.conf has
deny \.scr$ Possible virus hidden in a screensaver Windows
Screensavers are often used to hide viruses
But you say that everything is set up correctly, so I?m almost certainly
missing something.
--
-- Paul A Sand <pas at unh.edu>
-- Information Technology / University of New Hampshire
-- http://pubpages.unh.edu/~pas
-- No electrons were harmed in the transmission of this message.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/9d92e77b/attachment.html
Max Kipness
2014-06-27 16:27:52 UTC
Permalink
Post by Max Kipness
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is
setup
Post by Max Kipness
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct.
But
Post by Max Kipness
nothing else was triggered. I'm looking at some type of custom rule,
but
Post by Max Kipness
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on
the
Post by Max Kipness
fact that the message was caught by MailScanner with an attachment
warning.
It's been awhile since I looked at this, but I was under the impression
1) MailScanner.conf has
Filename Rules = %etc-dir%/filename.rules.conf
2) filename.rules.conf has
deny \.scr$ Possible virus hidden in a screensaver Windows
Screensavers are often used to hide viruses
But you say that everything is set up correctly, so I'm almost
certainly
missing something.
Thanks for the response Paul.

MailScanner is indeed blocking the SCR and sending a report about the
attachment. The problem is, this email was a spam message, it's score
was 3.7(bayes 999 only) so it still got through (but with the SCR
stripped).

So I'm looking to add a score on the SCR, adding 1.0. In reality you
could add 20.0 for SCR because I don't ever see a legitimate need to
send these. If I had an extra score to add to the bayes 999 it would not
have gotten through.

Or better yet, how about adding a score on (Filename?) attachment
warning? That would probably be best. Add 1.0 score to any of those.

If anyone know how this can be achieved please let me know. In the past
I've had many of these having to do with Fax, Xerox spam, etc.

Max
Paul A Sand
2014-06-27 17:08:44 UTC
Permalink
Post by Max Kipness
MailScanner is indeed blocking the SCR and sending a report about the
attachment. The problem is, this email was a spam message, it's score
was 3.7(bayes 999 only) so it still got through (but with the SCR
stripped).
So I'm looking to add a score on the SCR, adding 1.0. In reality you
could add 20.0 for SCR because I don't ever see a legitimate need to
send these. If I had an extra score to add to the bayes 999 it would not
have gotten through.
Or better yet, how about adding a score on (Filename?) attachment
warning? That would probably be best. Add 1.0 score to any of those.
Sorry for misunderstanding. How about adapting the scheme here
(which adds a score on zip file attachment) :

http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/

I haven?t tried this myself.
--
-- Paul A Sand <pas at unh.edu>
-- Information Technology / University of New Hampshire
-- http://pubpages.unh.edu/~pas
-- Contents may have settled during shipment.
Max Kipness
2014-06-27 18:05:19 UTC
Permalink
Post by Paul A Sand
http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/
I haven?t tried this myself.
Wow, beautiful. I've already tested it and it works great. I guess I overlooked the mimeheader rules. I now see Alex has responded with the same. Thanks to both.

Max
Martin Hepworth
2014-06-27 18:08:53 UTC
Permalink
Are you setting mailscanner.conf so every email gets its spam scores in the
header? Could be somethings missfiring like autowhitelisting (which i
always disable anyway)

Make sure following are set so youll get that in the headers


Detailed Spam Report = yes

Include Scores In SpamAssassin Report = yes

Always Include SpamAssassin Report = yes

Spam Score Number Format = %5.2f
Post by Paul A Sand
Post by Max Kipness
MailScanner is indeed blocking the SCR and sending a report about the
attachment. The problem is, this email was a spam message, it's score
was 3.7(bayes 999 only) so it still got through (but with the SCR
stripped).
So I'm looking to add a score on the SCR, adding 1.0. In reality you
could add 20.0 for SCR because I don't ever see a legitimate need to
send these. If I had an extra score to add to the bayes 999 it would not
have gotten through.
Or better yet, how about adding a score on (Filename?) attachment
warning? That would probably be best. Add 1.0 score to any of those.
Sorry for misunderstanding. How about adapting the scheme here
http://jrs-s.net/2013/06/14/block-common-trojans-in-spamassassin/
I haven?t tried this myself.
--
-- Paul A Sand <pas at unh.edu <javascript:;>>
-- Information Technology / University of New Hampshire
-- http://pubpages.unh.edu/~pas
-- Contents may have settled during shipment.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info <javascript:;>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/9751d62a/attachment.html
Alex Neuman
2014-06-27 17:57:23 UTC
Permalink
What about not allowing messages with forbidden attachments through at all?

In any case, you might want to try something like this:

mimeheader SCR_ATTACHED Content-Type =~ /scr/i
describe SCR_ATTACHED email contains an scr file attachment
score SCR_ATTACHED 1.0
In




*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789
Skype: AlexNeuman

Don't miss Vida Digital on LiveStream
<http://new.livestream.com/accounts/5061819>!
Saturdays 8am-10am on 104.3FM Panama

Follow *@AlexNeuman <https://twitter.com/alexneuman>* on Twitter
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube
Post by Paul A Sand
Post by Max Kipness
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is
setup
Post by Max Kipness
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct.
But
Post by Max Kipness
nothing else was triggered. I'm looking at some type of custom rule,
but
Post by Max Kipness
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on
the
Post by Max Kipness
fact that the message was caught by MailScanner with an attachment
warning.
It's been awhile since I looked at this, but I was under the impression
1) MailScanner.conf has
Filename Rules = %etc-dir%/filename.rules.conf
2) filename.rules.conf has
deny \.scr$ Possible virus hidden in a screensaver Windows
Screensavers are often used to hide viruses
But you say that everything is set up correctly, so I'm almost
certainly
missing something.
Thanks for the response Paul.
MailScanner is indeed blocking the SCR and sending a report about the
attachment. The problem is, this email was a spam message, it's score
was 3.7(bayes 999 only) so it still got through (but with the SCR
stripped).
So I'm looking to add a score on the SCR, adding 1.0. In reality you
could add 20.0 for SCR because I don't ever see a legitimate need to
send these. If I had an extra score to add to the bayes 999 it would not
have gotten through.
Or better yet, how about adding a score on (Filename?) attachment
warning? That would probably be best. Add 1.0 score to any of those.
If anyone know how this can be achieved please let me know. In the past
I've had many of these having to do with Fax, Xerox spam, etc.
Max
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/c273ef51/attachment.html
Alex Neuman
2014-06-27 17:57:47 UTC
Permalink
Sorry, hit wrong key. I was going to say "in any case, the rule is probably
wrong but someone could help correct it".




*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789
Skype: AlexNeuman

Don't miss Vida Digital on LiveStream
<http://new.livestream.com/accounts/5061819>!
Saturdays 8am-10am on 104.3FM Panama

Follow *@AlexNeuman <https://twitter.com/alexneuman>* on Twitter
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube


On Fri, Jun 27, 2014 at 12:57 PM, Alex Neuman <alex at vidadigital.com.pa>
Post by Alex Neuman
What about not allowing messages with forbidden attachments through at all?
mimeheader SCR_ATTACHED Content-Type =~ /scr/i
describe SCR_ATTACHED email contains an scr file attachment
score SCR_ATTACHED 1.0
In
*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/
Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789
Skype: AlexNeuman
Don't miss Vida Digital on LiveStream
<http://new.livestream.com/accounts/5061819>!
Saturdays 8am-10am on 104.3FM Panama
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube
Post by Paul A Sand
Post by Max Kipness
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is
setup
Post by Max Kipness
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct.
But
Post by Max Kipness
nothing else was triggered. I'm looking at some type of custom rule,
but
Post by Max Kipness
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on
the
Post by Max Kipness
fact that the message was caught by MailScanner with an attachment
warning.
It's been awhile since I looked at this, but I was under the impression
1) MailScanner.conf has
Filename Rules = %etc-dir%/filename.rules.conf
2) filename.rules.conf has
deny \.scr$ Possible virus hidden in a screensaver Windows
Screensavers are often used to hide viruses
But you say that everything is set up correctly, so I'm almost
certainly
missing something.
Thanks for the response Paul.
MailScanner is indeed blocking the SCR and sending a report about the
attachment. The problem is, this email was a spam message, it's score
was 3.7(bayes 999 only) so it still got through (but with the SCR
stripped).
So I'm looking to add a score on the SCR, adding 1.0. In reality you
could add 20.0 for SCR because I don't ever see a legitimate need to
send these. If I had an extra score to add to the bayes 999 it would not
have gotten through.
Or better yet, how about adding a score on (Filename?) attachment
warning? That would probably be best. Add 1.0 score to any of those.
If anyone know how this can be achieved please let me know. In the past
I've had many of these having to do with Fax, Xerox spam, etc.
Max
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/9322ba85/attachment.html
Max Kipness
2014-06-27 21:16:35 UTC
Permalink
What about not allowing messages with forbidden attachments through at all??
mimeheader SCR_ATTACHED Content-Type =~ /scr/i
describe SCR_ATTACHED email contains an scr file attachment
score SCR_ATTACHED 1.0
I actually spoke a little soon.

Although this works great on the actual SCR files. I realized later they are sent inside of zip files. This doesn't work for an SCR inside of a zip, of course because the mime header has no mention of the inside file.

For now I'm giving zip files a low score, but enough to take the email to definite "is spam" with a Bayes 999.

I'm also reviewing Rick's suggestion.

Thanks all,
Max
Alex Neuman
2014-06-27 23:10:12 UTC
Permalink
Or you could just let MailScanner do its job and not deliver these files -
along with the e-mails with the dangerous attachments.



*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789
Skype: AlexNeuman

Don't miss Vida Digital on LiveStream
<http://new.livestream.com/accounts/5061819>!
Saturdays 8am-10am on 104.3FM Panama

Follow *@AlexNeuman <https://twitter.com/alexneuman>* on Twitter
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube
Post by Max Kipness
Post by Alex Neuman
What about not allowing messages with forbidden attachments through at
all?
Post by Alex Neuman
mimeheader SCR_ATTACHED Content-Type =~ /scr/i
describe SCR_ATTACHED email contains an scr file attachment
score SCR_ATTACHED 1.0
I actually spoke a little soon.
Although this works great on the actual SCR files. I realized later they
are sent inside of zip files. This doesn't work for an SCR inside of a zip,
of course because the mime header has no mention of the inside file.
For now I'm giving zip files a low score, but enough to take the email to
definite "is spam" with a Bayes 999.
I'm also reviewing Rick's suggestion.
Thanks all,
Max
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/5c52834b/attachment.html
Max Kipness
2014-06-28 00:08:31 UTC
Permalink
Or you could just let MailScanner do its job and not deliver these files - along with the e-mails with the dangerous attachments.
Is there a way in MailScanner to not send the email if the attachment is an SCR (or zip with enclosed SCR)? Currently MailScanner is stripping the SCR/ZIP, but sending the email anyway with the attached text file warning that the SCR is on the unacceptable list.

I think this was the original path I was trying to take to resolve this problem, but could not find a way to do it.

Max
Alex Neuman
2014-06-27 16:29:51 UTC
Permalink
You should just disallow SCR files since there is probably no need for them
to be sent to your users. If I recall correctly, SCR (like .EXE) is one of
the extensions MailScanner doesn't let through by default.



*Alex Neuman van der Hans*Reliant Technologies / Vida Digital
http://vidadigital.com.pa/

Mobile: +507-6781-9505
Work: +507-832-6725
Work (USA): +1-440-253-9789
Skype: AlexNeuman

Don't miss Vida Digital on LiveStream
<http://new.livestream.com/accounts/5061819>!
Saturdays 8am-10am on 104.3FM Panama

Follow *@AlexNeuman <https://twitter.com/alexneuman>* on Twitter
Like Vida Digital <https://facebook.com/vidadigital/> on Facebook
Follow VidaDigital <http://instagram.com/vidadigital> on Instagram
Subscribe to Vida Digital <https://youtube.com/reliantpty> on Youtube
Post by Max Kipness
Hi,
I've asked this before, but never got an answer and thought I would give
it another shot.
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is setup
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct. But
nothing else was triggered. I'm looking at some type of custom rule, but
I sure would be nice if we could score on an attachment present in
general, or certain extensions like an SCR. Or if we could score on the
fact that the message was caught by MailScanner with an attachment
warning.
Any ideas?
Thanks,
Max
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140627/6b4e5d5c/attachment.html
Rick Cooper
2014-06-27 21:01:06 UTC
Permalink
Post by Max Kipness
Hi,
I've asked this before, but never got an answer and thought I would
give it another shot.
I sometimes get spam with attachments that are usually SCR files. For
example just a few minutes ago I received about 401k fund
participants/performance. Everything on my MailScanner system is setup
correctly. I'm using Bayes (manual), Razor, Pyzor, DCC, custom rules,
you name it. So this message received a Bayes 999, which is correct.
But nothing else was triggered. I'm looking at some type of custom
rule, but I sure would be nice if we could score on an attachment
present in general, or certain extensions like an SCR. Or if we could
score on the fact that the message was caught by MailScanner with an
attachment warning.
Any ideas?
Thanks,
Max
You do not say what your MTA is but I have to assume postfix or sendmail (I
use exim) have some kind of mime type blocking as does exim so it's easy to
either reject or dev/null any email that has a .scr file attached (or any
other type for that matter) and it never get's to MailScanner or the user. I
dump about 1/2 dozen different file types that should never be sent (un
archived) including .src, right at the MTA level

Rick
Max Kipness
2014-06-27 21:12:34 UTC
Permalink
Post by Rick Cooper
You do not say what your MTA is but I have to assume postfix or
sendmail (I use exim) have some kind of mime type blocking as does exim
so it's easy to either reject or dev/null any email that has a .scr file
Post by Rick Cooper
attached (or any other type for that matter) and it never get's to
MailScanner or the user. I dump about 1/2 dozen different file types
that should never be sent (un
Post by Rick Cooper
archived) including .src, right at the MTA level
Rick
Good point there. I use Sendmail.

For the SCR files there really is not a legimate reason to send them so
you would assume the whole email should be trashed. I'm going to look
into this. But what if the SCR is zipped? That is the way I'm getting
them.

Max
Rick Cooper
2014-06-28 17:51:46 UTC
Permalink
Post by Max Kipness
Post by Rick Cooper
You do not say what your MTA is but I have to assume postfix or
sendmail (I use exim) have some kind of mime type blocking as does
exim so it's easy to either reject or dev/null any email that has a
.scr file
Post by Rick Cooper
attached (or any other type for that matter) and it never get's to
MailScanner or the user. I dump about 1/2 dozen different file types
that should never be sent (un
Post by Rick Cooper
archived) including .src, right at the MTA level
Rick
Good point there. I use Sendmail.
For the SCR files there really is not a legimate reason to send them
so you would assume the whole email should be trashed. I'm going to
look into this. But what if the SCR is zipped? That is the way I'm
getting them.
Max
The answer is yes Exim can, but you have to write a rather simple script to
be called on the file to handle the processing of files inside archives. I
only block the those that are outside archives and let mailscanner handle
those that are inside as it seems cleaner to me. I don't think you want to
hold up the MTA while something unpacks all the attachments, and their
children looking for a specific file type, better to let MailScanner do that
in the background

Mailscanner, use the archive file name/type rules and set to deny. You can
see what happens if you set deliver cleaned to no, I don't know if that
applies to messages with files removed or not.

Loading...