reject based on attachment

Anyone have a filter they'd like to share that rejects mail at smtp
based on known malicious attachment file types?  I've been out of the
game for a while in this regard.  Received a spam today (that squeaked
past all my current filters) with a .docx file attached, and I don't
even know what that ext is.  I'm guessing some recent office active-x
type thing.

Anyway, much appreciated if someone has such a filter, or an example or
docs so I can write one myself.  I've never done anything with Postfix
content filters.  My experience is rejecting on stuff on sending
IP/domain reputation.

Thanks in advance.

--
Stan

On 11/3/2009 9:13 AM, Stan Hoeppner wrote:
> Anyone have a filter they'd like to share that rejects mail at smtp
> based on known malicious attachment file types?  I've been out of the
> game for a while in this regard.  Received a spam today (that squeaked
> past all my current filters) with a .docx file attached, and I don't
> even know what that ext is.  I'm guessing some recent office active-x
> type thing.

No, docx, xlsx, and pptx are the new Office 2007 'OpenXML' formats.

--

Best regards,

Charles

* Stan Hoeppner <stan@...>:

> Anyone have a filter they'd like to share that rejects mail at smtp
> based on known malicious attachment file types?

Of course .)

mime_header_checks:

/name=\"(.*)\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole)\"$/
   REJECT Unwanted attachment/Unerwuenschter Anhang $1.$2 -- http://webmail.charite.de/doku/faq/#3

/name=\"(.*)\.(pif|reg|rm|scr|shb|shm|shs|sys|vbe|vbs|vxd|xl|xsl)\"$/
   REJECT Unwanted attachment/Unerwuenschter Anhang $1.$2 -- http://webmail.charite.de/doku/faq/#3

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt@... | http://www.charite.de
           

On 3-Nov-2009, at 07:13, Stan Hoeppner wrote:

> Anyone have a filter they'd like to share that rejects mail at smtp
> based on known malicious attachment file types?


main.cf:
mime_header_checks = pcre:$config_directory/mime_headers.pcre

$ cat mime_headers.pcre
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|
chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|
mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|
swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT Attachment  
name "$2" may not end with ".$3"

That said, executable attachments in email are EXTREMELY rare anymore.  
They seem to arrive as zip files and rely on the innate stupidity of  
the receiver. I've only seen a handful this month and they were  
all .swf files.

--
We only remembers that the elves sang. We forgets what it was they  
were singing about. --Lords and Ladies

Ralf Hildebrandt put forth on 11/3/2009 8:32 AM:

Thanks Ralf.  Is smtpd_recipient_restrictions the appropriate place to
put mime_header_checks, like this?

smtpd_recipient_restrictions =
        mime_header_checks = pcre:/etc/postfix/mime_header_checks

/etc/postfix/mime_header_checks

/name=\"(.*)\.(386|bat|chm|cpl|cmd|com|do|exe|hta|jse|lnk|msi|ole)\"$/
        REJECT Unwanted attachment $1.$2
/name=\"(.*)\.(pif|reg|rm|scr|shb|shm|shs|sys|vbe|vbs|vxd|xl|xsl)\"$/
        REJECT Unwanted attachment $1.$2

BTW, I can't tell--are these regexp or pcre format?

--
Stan

* Stan Hoeppner <stan@...>:

> Thanks Ralf.  Is smtpd_recipient_restrictions the appropriate place to
> put mime_header_checks, like this?

No.
 
> smtpd_recipient_restrictions =

It's just:

mime_header_checks = pcre:/etc/postfix/mime_header_checks

> BTW, I can't tell--are these regexp or pcre format?

I usually use PCRE

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt@... | http://www.charite.de
           

Stan Hoeppner a écrit :
> Anyone have a filter they'd like to share that rejects mail at smtp
> based on known malicious attachment file types?  I've been out of the
> game for a while in this regard.  Received a spam today (that squeaked
> past all my current filters) with a .docx file attached, and I don't
> even know what that ext is.  I'm guessing some recent office active-x
> type thing.

no, these are (relatively new) "standard" office documents. if you
accept word docs, there is no point rejecting .docx, etc.

>
> Anyway, much appreciated if someone has such a filter, or an example or
> docs so I can write one myself.  I've never done anything with Postfix
> content filters.  My experience is rejecting on stuff on sending
> IP/domain reputation.
>

you can use header_checks (or mime_header_checks). examples have been
posted sometime ago here. here is an example:

== main.cf:
header_checks = pcre:/etc/postfix/maps/pcre/header_checks

== /etc/postfix/maps/pcre/header_checks

#banned attachments
if /^Content-(Disposition|Type)/

/name\s*=\s*"?(.*(\.|=2E)(
        ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
        hlp|ht[at]|
        inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
        \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
        ocx|ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
        vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
                REJECT Dangerous Attachment ".$3" (file: "$1")


/message\/partial/    REJECT message fragments are not allowed
endif


PS. Note that /x is used here. check perl regular expression docs.