Linux Help Desk

Linux Help Desk

Monday, January 4, 2016

How to Configure MailScanner with File Name Extension


The configuration file for MailScanner is very big and an unlimited of options are available. So it is impossible to provide general detailed instructions on how to configure MailScanner. However I will explain and highlight the options which are needed in our testlab. Actually the configuration file is the document itself. For an advanced configuration please check the MailScanner website:http://www/mailscanner.info/documentation.html
The configuration file is situated in /etc/MailScanner directory.
The Configuration:
 1. %org-name% = Company-name
 2. %org-long-name% = Company Email Security
 3. %web-site% = www.example.com
 4. Max Children = 5 # For less busy mailservers this can be reduced to 2 or 3
 5. Run As User = postfix # Because we use Postfix as MTA
 6. Run As Group = postfix
 7. Incoming Queue Dir = /var/spool/postfix/hold
 8. Incoming Work Dir = /dev/shm # MailScanner “unpacks” messages for scanning on /var/spool/MailScanner/incoming; better performance!
 9. Outgoing Queue Dir = /var/spool/postfix/incoming
10. MTA = postfix
11. Incoming Work Group = clamav
12. Incoming Work Permissions = 0640
13. Quarantine User = root
14. Quarantine Group = apache
15. Quarantine Permissions = 0640
16. Virus Scanner = clamd
17. Clamd Socket = /tmp/clamd.socket
18. Clamd Lock File = /var/lock/subsys/clamd
19. Clamd use threads = yes # If running on server with more then 1 CPU. Otherwise leave it to no
20. Quarantine Whole Message = yes
21. Allow Filenames = %rules-dir%/filename-allow.rules
21. Deny Filenames = %rules-dir%/filename-deny.rules
21. Filename Rules =
21. SpamScore Number Instead of Stars = yes
21. Information Header Value = Please contact your administrator for more information
21. Spam List = spamhaus-ZEN # Not needed if RBL-checking is in Postfix. Eventually spamcop. see http://stats.dnsbl.com and b.barracudacentral.org
                               which need registration. supposed to work very good.
22. Rebuild Bayes every = 86400 # This is 1 day
23. Spam Action = store forward postmaster
24. High Scoring Spam Action = store forward postmaster
25. SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
26. Spamassassin local State Dir = /var/lib/spamassassin # Only set when you have proved that the sa-update cron job has run successfully and has
                                                           created a directory structure under the spamassassin directory within this one and has
                                                           put some *.cf files in there.
More configuration options can be specified. Some options that can be enabled or set are the following:
1. Scan Messages = %rules-dir%/scan.messages.rules # If we don't want to scan outgoing messages but only incoming.
2. Dangerous Content Scanning = %rules-dir%/content.scanning.rules
3. Always Looked Up Last = &MailWatchLogging (important otherwise nothing is logged in Mailwatch)
3. Is Definitly Not Spam = &SQLWhitelist # When using Mailwatch.
4. Is Definitly Spam = &SQLBlacklist # When using Mailwatch
5. Log Spam = yes # When using Vispan.
Permissions
To be able to let MailScanner work correctly with Postfix, we have to change some permission settings:
1. chown -R postfix /var/spool/MailScanner/incoming

Bayes
By default MailScanner use the Bayes system. This system begins to work when at least 200 ham and 200 spam messages are assigned to the bayes database and will be very accurate when having more messages in its database.It learns from the messages. To enable site-wide bayes setup we will have to do the following.
1. mkdir /var/spool/MailScanner/spamassassin # As stated in MailScanner.conf -> SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
2. cp ~/.spamassassin/bayes_* /var/spool/MailScanner/spamassassin # If they're not there, run sa-update --sync
3. chown postfix.postfix /var/spool/MailScanner/spamassassin
4. open /etc/MailScanner/spam.assassin.prefs.conf
5. add -> bayes_path /var/spool/MailScanner/spamassassin/bayes
       -> bayes_file_mode 0660
       -> bayes_auto_expire 0
NOTE: DO NOT START SPAMASSASSIN, 'SERVICE SPAMASSASSIN START'. SPAMC WILL BE CALLED BY PERL!
Quarantine directory
The quarantine directory in /var/spool/Mailscanner/ directory doesn't have the right permissions to store infected mails that have to be quarantined. So we need to change this.
chown postfix:apache /var/spool/MailScanner/quarantine

Filename rules
The default installation of MailScanner allows every attachment file-format. We need to restrict this so unwanted attachement file-type, which often can contain virussen, will be blocked by MailScanner.
1. vi /etc/MailScanner/MailScanner.conf
2. Go to +/- line 1143
3. Allow Filenames = %rules-dir%/filename-allow.rules
   Deny Filenames = %rules-dir%/filename-deny.rules
   Filename Rules =
   Filetype Rules =

Now we've edit the configuration file we need to create the allow and deny files, because they don't exist yet. Lucky for us, there is already a pre-build filename.rules.conf file in /etc/MailScanner directory. This file contains the denies as well as the allows.
1. copy /etc/MailScanner/filename.rules.conf /etc/MailScanner/rules
2. cp filename.rules.conf filename-allow.rules
   cp filename.rules.conf filename-deny.rules
The filename-allow.rules and filename-deny.rules now ahve the same content. We first need to delete the deny from filename-allow.rules and the allow from filename-deny.rules When this is done we need to specify to what domain these rules apply. We need to add the following at each allow or deny line depending on the configuration file.
To: example.com      # be aware of the space after example.com
Output filename-allow.rules
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
#           then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.

# These are in the archives which are Microsoft Office 2007 files (e.g. docx)
To: example.com allow  \.xml\d*\.rel$         -       -
To: example.com allow  \.x\d+\.rel$           -       -
To: example.com allow  \.rtf$                 -       -

# These are known to be mostly harmless.
To: example.com allow  \.jpg$                 -       -
To: example.com allow  \.gif$                 -       -
To: example.com allow  \.png$                  -       -
# .url is arguably dangerous, but I can't just ban it...
To: example.com allow  \.url$                 -       -
To: example.com allow  \.vcf$                 -       -
To: example.com allow  \.txt$                 -       -
To: example.com allow  \.zip$                 -       -
To: example.com allow  \.t?gz$                -       -
To: example.com allow  \.bz2$                 -       -
To: example.com allow  \.Z$                   -       -
To: example.com allow  \.rpm$                 -       -
# PGP and GPG
To: example.com allow  \.gpg$                 -       -
To: example.com allow  \.pgp$                 -       -
To: example.com allow  \.sig$                 -       -
To: example.com allow  \.asc$                 -       -
# Needed for PDF support
To: example.com allow  \.pdf$                  -       -
# Macintosh archives
To: example.com allow  \.hqx$                 -       -
To: example.com allow  \.sit.bin$             -       -
To: example.com allow  \.sea$                 -       -

# Allow repeated file extension, e.g. blah.zip.zip
To: example.com allow  (\.[a-z0-9]{3})\1$     -       -

# Allow days of the week and months in doc names, e.g. blah.wed.doc
To: example.com allow  \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ -       -
To: example.com allow        \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$    -        -

Output filename-deny.rules
# NOTE: Fields are separated by TAB characters --- Important!
#
# Syntax is allow/deny/deny+delete/email-addresses, then regular expression,
#           then log text, then user report text.
#
# The "email-addresses" can be a space or comma-separated list of email
# addresses. If the rule hits, the message will be sent to these address(es)
# instead of the original recipients.

# Due to a bug in Outlook Express, you can make the 2nd from last extension
# be what is used to run the file. So very long filenames must be denied,
# regardless of the final extension.
To: example.com deny   .{150,}                Very long filename, possible OE attack                                 Very long filenames are good signs of attacks  against Microsoft e-mail Packages

# JKF 10/08/2007 Adobe Acrobat nastiness
To: example.com deny   \.fdf$                 Dangerous Adobe Acrobat data-file                                      Opening this file can cause auto-loading of  any file from the internet
To: example.com
# JKF 04/01/2005 More Microsoft security vulnerabilities
To: example.com deny   \.ico$                 Windows icon file security vulnerability                               Possible buffer overflow in Windows
To: example.com deny   \.ani$                 Windows animated cursor file security vulnerability                         Possible buffer overflow in Windows
To: example.com deny   \.cur$                 Windows cursor file security vulnerability                             Possible buffer overflow in Windows
#To: example.com deny  \.hlp$                 Windows help file security vulnerability                               Possible buffer overflow in Windows

# These 4 are well known viruses.
To: example.com deny   pretty\s+park\.exe$    "Pretty Park" virus                                                    "Pretty Park" virus
To: example.com deny   happy99\.exe$          "Happy" virus                                                          "Happy" virus
To: example.com deny   \.ceo$         WinEvar virus attachment                                              Often used by the WinEvar virus
To: example.com deny   webpage\.rar$  I-Worm.Yanker virus attachment                                        Often used by the I-Worm.Yanker virus

# JKF 08/07/2005 Several virus scanners may miss this one
To: example.com deny   \.cab$                 Possible malicious Microsoft cabinet file                              Cabinet files may hide viruses

# These are known to be dangerous in almost all cases.
To: example.com deny   \.reg$         Possible Windows registry attack                                      Windows registry entries are very dangerous in email
To: example.com deny   \.chm$         Possible compiled Help file-based virus                                       Compiled help files are very dangerous in email
To: example.com deny   \.cnf$         Possible SpeedDial attack                                             SpeedDials are very dangerous in email
To: example.com deny   \.hta$         Possible Microsoft HTML archive attack                                HTML archives are very dangerous in email
To: example.com deny   \.ins$         Possible Microsoft Internet Comm. Settings attack                     Windows Internet Settings are dangerous in email
To: example.com deny   \.jse?$        Possible Microsoft JScript attack                                     JScript Scripts are dangerous in email
To: example.com deny   \.job$         Possible Microsoft Task Scheduler attack                              Task Scheduler requests are dangerous in email
To: example.com deny   \.lnk$         Possible Eudora *.lnk security hole attack                            Eudora *.lnk security hole attack
To: example.com deny   \.ma[dfgmqrstvw]$      Possible Microsoft Access Shortcut attack                      Microsoft Access Shortcuts are dangerous in email
To: example.com deny   \.pif$         Possible MS-Dos program shortcut attack                                       Shortcuts to MS-Dos programs are very dangerous in email
To: example.com deny   \.scf$         Possible Windows Explorer Command attack                              Windows Explorer Commands are dangerous in email
To: example.com deny   \.sct$         Possible Microsoft Windows Script Component attack                    Windows Script Components are dangerous in email
To: example.com deny   \.shb$         Possible document shortcut attack                                     Shortcuts Into Documents are very dangerous in email
To: example.com deny   \.shs$         Possible Shell Scrap Object attack                                    Shell Scrap Objects are very dangerous in email
To: example.com deny   \.vb[es]$      Possible Microsoft Visual Basic script attack                         Visual Basic Scripts are dangerous in email
To: example.com deny   \.ws[cfh]$     Possible Microsoft Windows Script Host attack                         Windows Script Host files are dangerous in email
To: example.com deny   \.xnk$         Possible Microsoft Exchange Shortcut attack                           Microsoft Exchange Shortcuts are dangerous in email

# These are new dangerous attachment types according to Microsoft in
To: example.com deny   \.cer$         Dangerous Security Certificate (according to Microsoft)                        Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.its$         Dangerous Internet Document Set (according to Microsoft)                     Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.mau$         Dangerous attachment type (according to Microsoft)                    Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.md[az]$      Dangerous attachment type (according to Microsoft)                    Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.prf$         Dangerous Outlook Profile Settings (according to Microsoft)                     Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.pst$         Dangerous Office Data File (according to Microsoft)                   Dangerous attachment according to Microsoft Q883260
#To: example.com deny  \.tmp$         Dangerous Temporary File (according to Microsoft)                     Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.vsmacros$    Dangerous Visual Studio Macros (according to Microsoft)                        Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.vs[stw]$     Dangerous attachment type (according to Microsoft)                    Dangerous attachment according to Microsoft Q883260
To: example.com deny   \.ws$          Dangerous Windows Script (according to Microsoft)                     Dangerous attachment according to Microsoft Q883260


# These 2 added by popular demand - Very often used by viruses
To: example.com deny   \.com$         Windows/DOS Executable                                                Executable DOS/Windows programs are dangerous in email
To: example.com deny   \.exe$         Windows/DOS Executable                                                Executable DOS/Windows programs are dangerous in email

# These are very dangerous and have been used to hide viruses
To: example.com deny   \.scr$         Possible virus hidden in a screensaver                                Windows Screensavers are often used to hide viruses
To: example.com deny   \.bat$         Possible malicious batch file script                                  Batch files are often malicious
To: example.com deny   \.cmd$         Possible malicious batch file script                                  Batch files are often malicious
To: example.com deny   \.cpl$         Possible malicious control panel item                                 Control panel items are often used to hide viruses
To: example.com deny   \.mhtml$       Possible Eudora meta-refresh attack                                   MHTML files can be used in an attack against Eudora

# Deny filenames containing CLSID's
To: example.com deny   \{[a-hA-H0-9-]{25,}\}  Filename trying to hide its real type                   Files containing  CLSID's are trying to hide their real type

# Deny filenames with lots of contiguous white space in them.
To: example.com deny   \s{10,}        Filename contains lots of white space                                 A long gap in a name is often used to hide part of it

# Deny all other double file extensions. This catches any hidden filenames.
To: example.com deny   \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding                 Attempt to hide real filename extension
In the examples above, we specify a domain to block for the content. We can also use the following syntax to allow or deny a filename-type for all domains the MailScanner is serving for.
To: *.* \.bat$

No comments:

Post a Comment