Block attachments in .zip files

This section contains scripts that hMailServer has contributed with. hMailServer 5 is needed to use these.
Post Reply
mikedibella
Normal user
Normal user
Posts: 177
Joined: 2016-12-08 02:21

Block attachments in .zip files

Post by mikedibella » 2016-12-14 23:36

I wanted a way to extend blocking of attachments to include attachments with restricted extensions in .zip files.

ZipScanner.exe is a simple command line scanner that does that.

It uses the hMailServer COM API to read the list of restricted extensions, and blocks a message if a .zip file is attached containing a file with a restricted extension.

To use it, copy ZipScanner.exe into the hMailServer bin directory and set the following on the "External virus scanner" tab:

Use external scanner: checked.
Scanner executable: <path to ZipScanner.exe>\ZipScanner.exe "%FILE%" "api-username" "api-password"
Return value: 1

"api-username" is the admin account or another account with Server level permission.

ZipScanner.exe will log results to the Application log. To get clean event messages, merge ZipScanner.reg into the registry and change the following keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\ZipScanner

EventMessageFile: modify the default value, if necessary, to be <path to ZipScanner.exe>\ZipScanner.exe.
LoggingLevel: set to 0 for errors only; 1 for summary logging of blocked messages; 2 for verbose logging of all processed messages.

ZipScanner is written in Borland Delphi as a console application and uses libraries from the The Indy Project for message processing. It does not scan recursively, so zips within zips will not be checked.

Pascal source code is included, but The Indy Project libraries are required to compile. A source and compiled file for the event log resource file is included, and a compiled resource file for the executable which can be read and modified directly by Delphi.
Attachments
ZipScanner.zip
(241.01 KiB) Downloaded 93 times

User avatar
jimimaseye
Moderator
Moderator
Posts: 8132
Joined: 2011-09-08 17:48

Re: Block attachments in .zip files

Post by jimimaseye » 2016-12-14 23:59

An alternative method is also available here: viewtopic.php?t=30002

Another alternative is to use Clamwin/ClamAV (viewtopic.php?f=21&t=26829) with Sanesecurity definitions (http://sanesecurity.com/) which has this feature builtin using their foxhole rules (http://sanesecurity.com/foxhole-databases/).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block attachments in .zip files

Post by RvdH » 2019-07-10 14:40

I had some spare time last weekend, so i tried to re-create mikedibella's project in C#

It uses MimeKit and also supports attachments in TNEF formated mails (winmail.dat)

Code: Select all

ZipScanner Options:
  -u, --username=VALUE       specify your hMailserver username.
  -p, --password=VALUE       specify your hMailserver password.
  -f, --file=VALUE           specify path to *.eml.
  -b, --blockcorrupted       block corrupted zip archives
  -z, --zip                  disallow zip archives within zip archives
  -v, --verbose              increase debug message verbosity
  -h, --help                 show this message and exit
It uses the hMailServer COM API to read the list of restricted extensions, and blocks a message if a .zip file is attached containing a file with a restricted extension.
By using optional -z parameter you can add .zip to the list of restricted extensions, thus: disallow zip archives within zip archives

Optional -b parameter checks the Zip archive file signature, if this option is enabled it return 2 instead of 1 when a corrupted archive is found

To use it, copy ZipScanner.exe into the hMailServer bin directory and set the following on the "External virus scanner" tab:

Use external scanner: checked.
Scanner executable: <path to ZipScanner.exe>\ZipScanner.exe -u="username" -p="password" -f="%FILE%"
Return value: 2


(source included)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attachments in .zip files

Post by SorenR » 2019-07-10 22:23

Did you have a look at this?
https://www.hmailserver.com/forum/viewt ... p?p=213170

Seems that hMailServer attachment handling is not the best... I'm experiencing lost and hidden attachments :roll:

I got the results with my modified 5.4.2 ... Currently building a new 64 bit server to play with. I'd love to use your build but I have some minor modifications and the latest you have on Github is .17 ... :mrgreen:

I think part of the attachment (Mime) handling is done by the Boost library functions and I know that has been updated since 5.4.2.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block attachments in .zip files

Post by RvdH » 2019-07-10 23:00

No sorry, hadn't had a look at that (yet)

But i found out, this approach has it issues as well, for example with winmail.dat (TNEF) messages

Above doesn't use any of the hMailServer internal MIME handing, it simply takes the *.eml and MimeKit library takes care of the rest, MessagePart, MimePart and Attachment parsing, TNEF parsing etc.
Really loved working with MimeKit, that is one powerful library if you ask me!
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attachments in .zip files

Post by SorenR » 2019-07-11 00:12

RvdH wrote:
2019-07-10 23:00
No sorry, hadn't had a look at that (yet)

But i found out, this approach has it issues as well, for example with winmail.dat (TNEF) messages

Above doesn't use any of the hMailServer internal MIME handing, it simply takes the *.eml and MimeKit library takes care of the rest, MessagePart, MimePart and Attachment parsing, TNEF parsing etc.
Really loved working with MimeKit, that is one powerful library if you ask me!
I read this, it's somewhat similar to what you are doing - editing the .eml file outside hMailServer.
https://www.hmailserver.com/forum/viewt ... 96#p185491
and thought I'd have a go at it...

How difficult could it be to rename a "filename" in a text file :roll: I'll just run it through RegEx :lol:

Code: Select all

Sub WarningAttachments(oMessage)
    Dim oFSO, i, strWarning, strRegEx, strFile, strNewFile, bSave, bAddWarning, MailFile
    Set oFSO = CreateObject("Scripting.FileSystemObject")
    bSave = False
    '
    '   Disclaimer
    '
    bAddWarning = True
'   strWarning = "C:\Program Files (x86)\hMailServer\Addons\Utilities\Attachement_Warning_Readme.txt"
    strWarning = "C:\\hMailServer\Addons\Utilities\Attachement_Warning_Readme.txt"
    '
    '   Set the extensions you want to rename, each must be in the format (\.htm.?)$ and separated with a |
    '
    '   Eg: .Pattern = "(\.docm)$"      '   rename .docm files. Microsoft Word Open XML macro-enabled document.
    '       .Pattern = "(\.doc(m|x)?)$" '   rename .doc, .docm and .docx files.
    '       .Pattern = "(\.xlsm)$"      '   rename .xlsm files. Microsoft Excel Open XML macro-enabled workbook.
    '       .Pattern = "(\.xls(m|x)?)$" '   rename .xls, .xlsm and .xlsx files.
    '       .Pattern = "(\.html?)$"     '   rename both .htm and .html files.
    '                                   '   The "\." translate to a ".".
    '                                   '   The "?"  indicate preceding letter is optional.
    '                                   '   The "$"  indicate End-Of-String.
    '
    strRegEx = "(\.html?)$|(\.doc(m|x)?)$|(\.xls(m|x)?)$"
    MailFile = CreateObject("Scripting.FileSystemObject").OpenTextFile(oMessage.FileName, 1).ReadAll
    With CreateObject("VBScript.RegExp")
        .Global = True
        .MultiLine = True
        .IgnoreCase = True
        '
        '   Run test.
        '
        For i = 0 To oMessage.Attachments.Count-1
            .Pattern = strRegEx
            If .Test(oMessage.Attachments(i).Filename) Then
                EventLog.Write("Attachement will be renamed for " & oMessage.To & ": " & oMessage.Attachments(i).Filename)
                strFile    = "name=" & Chr(34) & oMessage.Attachments(i).Filename & Chr(34)
                strNewFile = "name=" & Chr(34) & oMessage.Attachments(i).Filename & ".WARNING" & Chr(34)
                .Pattern = strFile
                '
                '   Rename all ocurrences of oMessage.Attachments(i).Filename in the file.
                '
                MailFile = .Replace(MailFile, strNewFile)
                '
                '   Flag that we need to save the message later
                '
                bSave = True
            End If
        Next
    End With
    If bSave Then
        CreateObject("Scripting.FileSystemObject").OpenTextFile(oMessage.FileName, 2).Write(MailFile)
        oMessage.RefreshContent
        oMessage.Save
        If bAddWarning Then oMessage.Attachments.Add(strWarning)
        oMessage.Save
    End If
    Set oFSO = Nothing
End Sub
Well... The warning is attached but the renamed attachments disappear into thin air...

Am I missing something fundamental ?
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block attachments in .zip files

Post by RvdH » 2019-07-11 12:49

SorenR wrote:
2019-07-10 22:23
I got the results with my modified 5.4.2 ... Currently building a new 64 bit server to play with. I'd love to use your build but I have some minor modifications and the latest you have on Github is .17 ... :mrgreen:
*.21 pushed to github

How do you attach the files? Simply in Outlook?
Is the Mimepart order always the same? Can you supply a complete copy of scripts, rules and archives? Send me a pm if you wish...
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attachments in .zip files

Post by SorenR » 2019-07-11 13:51

RvdH wrote:
2019-07-11 12:49
SorenR wrote:
2019-07-10 22:23
I got the results with my modified 5.4.2 ... Currently building a new 64 bit server to play with. I'd love to use your build but I have some minor modifications and the latest you have on Github is .17 ... :mrgreen:
*.21 pushed to github

How do you attach the files? Simply in Outlook?
Is the Mimepart order always the same? Can you supply a complete copy of scripts, rules and archives? Send me a pm if you wish...
Using my trusted Outlook 2003 (modified to allow blocked extensions) and from my GMail. It does not matter if I send as Plain text, Rich text or HTML.

Complete script in previous post.

Rule is simple: Account Postmaster, account rule: if subject = "*WARNING*" then run "WarningAttachments"

Repeating the test is done by forwarding the same mail from my Sent Mail folder.

Content of the .htm and .html files:

Code: Select all

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<%

Private Sub testEmail( emailto )
    Dim oMatch, oMatches
    With CreateObject("VBScript.RegExp")
        .Pattern = "(([a-zA-Z0-9_\-\.]+)\@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5}))"
        .Global = True
        .MultiLine = True
        .IgnoreCase = True
        Set oMatches = .Execute(emailto)
    End With
    emailto = ""
    For Each oMatch In oMatches
        emailto = oMatch & ";" & emailto
    Next
    With CreateObject("CDO.Message")
        .Configuration.Fields.Item(             "http://schemas.microsoft.com/cdo/configuration/sendusing" ) = 2
        .Configuration.Fields.Item(            "http://schemas.microsoft.com/cdo/configuration/smtpserver" ) = "localhost"
        .Configuration.Fields.Item(        "http://schemas.microsoft.com/cdo/configuration/smtpserverport" ) = 25
        .Configuration.Fields.Item(      "http://schemas.microsoft.com/cdo/configuration/smtpauthenticate" ) = 0
        .Configuration.Fields.Item(               "http://schemas.microsoft.com/cdo/configuration/sendtls" ) = False
        .Configuration.Fields.Item(            "http://schemas.microsoft.com/cdo/configuration/smtpusessl" ) = False
        .Configuration.Fields.Item( "http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout" ) = 10
        .Configuration.Fields.Item(          "http://schemas.microsoft.com/cdo/configuration/sendusername" ) = "user@domain.tld"
        .Configuration.Fields.Item(          "http://schemas.microsoft.com/cdo/configuration/sendpassword" ) = "password"
        .Configuration.Fields.Update
        .Subject = "Test subject"
        .From = "user@domin.tld"
        .To = emailto
        .TextBody = "Test body"
        .Send
    End With
    WScript.Echo( "eMail(s) sent to " & emailto & " at " & Now() )
End Sub

Call testEmail(Request.QueryString( "emailto") )

%>
Yeah, I copied an old test file from another project :mrgreen:

The other issue where I clone a message to forward blocked extensions to Postmaster, I call "oMessage.Attachment.Clear" and oMessage.Attachment.Count = 0. I then re-attach the .ps1 and .vbs files ... I end up with an extra .txt file ... Where did that one come from ? And where do the .html file go suddenly so it eludes being deleted and gets re-attached ... I'm inclined to call them X-Files :wink:

Thanks for the update on Github... I'll go figure out how to get this Github thing to work with my VS :mrgreen:

BTW... The Outlook thing... (11.0 = Office 2003, change as needed, restart Outlook)

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security]
"Level1Remove"=".vbs;.ps1;.asp"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block attachments in .zip files

Post by RvdH » 2019-07-13 12:01

jimimaseye , can you remove the off-topic posts?
I can't remove a attachement in the forum once a topic can't be edited, right? I found a (tiny) bug in my above ZipScanner attachement
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block attachments in .zip files

Post by RvdH » 2019-07-13 12:10

I had some spare time last weekend, so i tried to re-create mikedibella's project in C#

It uses MimeKit and also supports attachments in TNEF formated mails (winmail.dat)

Code: Select all

ZipScanner Options:
  -u, --username=VALUE       specify your hMailserver username.
  -p, --password=VALUE       specify your hMailserver password.
  -f, --file=VALUE           specify path to *.eml.
  -b, --blockcorrupted       block corrupted zip archives
  -z, --zip                  disallow zip archives within zip archives
  -v, --verbose              increase debug message verbosity
  -h, --help                 show this message and exit
It uses the hMailServer COM API to read the list of restricted extensions, and blocks a message if a .zip file is attached containing a file with a restricted extension.
By using optional -z parameter you can add .zip to the list of restricted extensions, thus: disallow zip archives within zip archives

Optional -b parameter checks the Zip archive file signature, if this option is enabled it return 2 instead of 1 when a corrupted archive is found

To use it, copy ZipScanner.exe into the hMailServer bin directory and set the following on the "External virus scanner" tab:

Use external scanner: checked.
Scanner executable: <path to ZipScanner.exe>\ZipScanner.exe -u="username" -p="password" -f="%FILE%"
Return value: 2

When you click "Test" it will return 10, this is absolutely fine as the test message doesn't contain valid MIME parts

(source included)
Attachments
ZipScanner.zip
(418.86 KiB) Downloaded 17 times
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8132
Joined: 2011-09-08 17:48

Re: Block attachments in .zip files

Post by jimimaseye » 2019-07-14 00:18

RvdH wrote:
2019-07-13 12:01
jimimaseye , can you remove the off-topic posts?
I can't remove a attachement in the forum once a topic can't be edited, right? I found a (tiny) bug in my above ZipScanner attachement
I've removed the attachment. Please check. ( If there is any other then post the link to the exact post please. )

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply