Results 1 to 7 of 7

Thread: [SOLVED] Attachment blocking within .zip files?

  1. #1
    Join Date
    Dec 2007
    Posts
    9
    Rep Power
    7

    Default [SOLVED] Attachment blocking within .zip files?

    Does Zimbra extend it's attachment blocking logic to include blocking those extensions even when they're zipped first? A lot of malware comes within an unencrypted zip file and by simply blocking .exe most if it can be blocked even before ClamAV is updated. .zip files with .exe files inside seem to be making it through my server even with .exe set to be blocked.

    Thanks.
    Brian

  2. #2
    Join Date
    Feb 2006
    Posts
    47
    Rep Power
    9

    Default

    No, it doesn't as far as I can tell.

    Also see this post which refers to this RFE/bug.

    I've been researching this over the last few days as it major issues for several Zimbra sites which I administer.

    The attachment blocking is part of the Postfix header checks - see /opt/zimbra/conf/postfix_header_checks
    ================================================== =============================================
    /filename=\"?(.*)\.(bat|cmd|com|exe|pif|scr)\"?$/
    REJECT For security reasons we reject attachments of this type
    /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(bat|cmd|com |exe|pif|scr))"?\s*$/
    REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
    ================================================== =============================================

    I've been looking into modifying the Amavis configuration file to detect .exe files within .zip files but I haven't had a chance to do this yet.

    In the file /opt/zimbra/conf/amavisd.conf.in, there is this section which has every test commented out:

    $banned_filename_re = new_RE(
    # qr'^UNDECIPHERABLE$', # is or contains any undecipherable components

    # block certain double extensions anywhere in the base name
    #qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

    # qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extensions - CLSID

    # qr'^application/x-msdownload$'i, # block these MIME types
    # qr'^application/x-msdos-program$'i,
    # qr'^application/hta$'i,

    # qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME
    # qr'^\.wmf$', # Windows Metafile file(1) type

    # qr'^message/partial$'i, # rfc2046 MIME type
    # qr'^message/external-body$'i, # rfc2046 MIME type

    # [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
    [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
    # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives

    #qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
    # qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf |exe|fxp|grp|hlp|hta|
    # inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc |msi|msp|mst|
    # ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
    # wmf|wsc|wsf|wsh)$'ix, # banned ext - long

    # qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.

    #qr'^\.(exe-ms)$', # banned file(1) types
    # qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
    );

    I was going to try uncommenting some of these tests.

    Anyone from Zimbra care to comment about the workings of Amavis and whether this will work?

    Angus

  3. #3
    Join Date
    Dec 2007
    Posts
    9
    Rep Power
    7

    Default

    Until an official method for extending blocking to inside attachments is supported, I just uncommented one of the blocks in /opt/zimbra/conf/amavisd.conf.in for $banned_filename_re:
    qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

    This lets the normal Zimbra attachment blocking work while also using the blocking in amavisd-new (which DOES support blocking files inside of archives) to specifically ban those above extensions within archives. I tried sending the very same emails that were sneaking through and the logs show it being blocked now specifically due to the embedded .exe.

    I also added:
    $final_banned_destiny = D_DISCARD;

    To prevent backscatter since the default in amavisd-new is D_BOUNCE.

  4. #4
    Join Date
    Mar 2007
    Location
    Indiana
    Posts
    185
    Rep Power
    8

    Default

    Is there an official method for this now?

    I'm running 5.0.5 GA Network Edition on Redhat 5 and am starting to have this issue where zipped executables come thru and wreak havoc on users workstations.

  5. #5
    Join Date
    Dec 2007
    Posts
    9
    Rep Power
    7

    Default

    ZCS 6 extends the attachment blocking to within zipped files if that's an option for you. I don't think you'll ever see an official method within ZCS 5 since it's in 6 now. I was using that unofficial method I found for about a year and it worked great for me except that I had to make sure to modify amavisd.conf.in each time I upgraded ZCS.

  6. #6
    Join Date
    Mar 2007
    Location
    Indiana
    Posts
    185
    Rep Power
    8

    Default

    Well, I'm actually looking at doing an upgrade now so that may be the best route.

    Looking for an upgrade guide now.

  7. #7
    Join Date
    Jan 2008
    Posts
    33
    Rep Power
    7

    Exclamation Attachment blocking within .zip files

    Dear All

    Any update on this issue . im using zimbra 5.0.11 and i unable to block extinction like .exe when it inside the zip file .

    Urgent Matter . Please reply to this if you have any solution without upgrading to latest zimbra

Similar Threads

  1. Zimbra 5 install on CentOS 5 / MX Record
    By MrBryce2000 in forum Installation
    Replies: 46
    Last Post: 05-10-2008, 02:48 PM
  2. Replies: 8
    Last Post: 02-27-2007, 03:10 AM
  3. Replies: 2
    Last Post: 10-26-2006, 10:45 AM
  4. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  5. Replies: 16
    Last Post: 09-07-2006, 06:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •