Virus check file sitting on remote site

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
AndreL
Normal user
Normal user
Posts: 31
Joined: 2016-06-07 15:42

Virus check file sitting on remote site

Post by AndreL » 2017-03-20 14:29

Hi,

Everyday some messages received include an URL to an infected file sitting on a remote site (ransomware). This site is generally a public one like dropbox.
As the file is not in attachment, no SPAM or Virus check done. SURBL is not relevant neither.

I'm looking for a service or process to validate those file content before the email is reaching the inbox.
So basically downloading the (url) file to a secure location for a virus check.

Any advice is welcome,
Andre.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8363
Joined: 2011-09-08 17:48

Re: Virus check file sitting on remote site

Post by jimimaseye » 2017-03-20 16:30

SaneSecurity definitions (used with ClamAV) contain definitions against known phishing and malware links. If you are not using any AV then I recommend: viewtopic.php?f=21&t=26829
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Virus check file sitting on remote site

Post by mattg » 2017-03-20 23:21

Yes I like those definitions too, however I'm not sure that they will be triggered by an embedded URL. I think that they only look at attachments.

@AndreL, interesting idea, but that's exactly what SURBL does. Why is SURBL 'not relevant'?
What SURBL servers are you using?

This is my list

Code: Select all

SURBL ENTRIES:
                   multi.surbl.org      Score: 3
                  dbl.spamhaus.org      Score: 3
        uribl.spameatingmonkey.net      Score: 1
                   uribl.swinog.ch      Score: 1
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8363
Joined: 2011-09-08 17:48

Re: Virus check file sitting on remote site

Post by jimimaseye » 2017-03-20 23:30

mattg wrote:Yes I like those definitions too, however I'm not sure that they will be triggered by an embedded URL. I think that they only look at attachments.
They do, yes. (And Ive witnessed it too).

If you view http://sanesecurity.com/usage/signatures/ you will see the 'Latest Updates' (bottom Right pane) and most of them are 'Jurlbl' updates which match the links in the email bodies. However, whether they cover links that point to dropbox downloads (as the OP stated in the 1st post), I dont know because dropbox are genuine links. I think the only way would be to download whatever the file is that is pointed to in the dropbox link and let the local AV then scan it. (Maybe some of these jurlbl signatures do cover known attachments within dropbox - who knows.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

AndreL
Normal user
Normal user
Posts: 31
Joined: 2016-06-07 15:42

Re: Virus check file sitting on remote site

Post by AndreL » 2017-03-21 23:50

Indeed SURBL is partially the answer as the infected file are on public repository like dropbox or gdrive.
Example: https://dl.dropboxusercontent.com/s/.....bill.zip

What i did until now is :

A global regex rule on the body to detect those links: (?im:^.*https?:\/\/([^ \"\'<>:])*\.(?:zip|exe|doc|xls|vb|bat|cmd).*$)
Action : add [suspicious message] to the subjet via a VBS routine and move it to the SPAM folder.

to be con't

NB: I'm using now:

multi.surbl.org
dbl.spamhaus.org
uribl.spameatingmonkey.net

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: Virus check file sitting on remote site

Post by sanesecurity » 2017-03-22 14:28

Sorry for the delay.

There *used* to be a feature in ClamAV that when if found a url in the body, did a wget on the
link and then you could match against the downloaded file.

The feature was removed, either to performance issues or risk of a DOS happening.

Some known malware Dropbox links are blocked in phish.ndb or blurl.ndb.

In the mean time can you send me a zipped copy of the samples you have and I'll take a look:

false_positive@sanesecurity.org.uk

Post Reply