Adding warning to message only if it contains attachments

This section contains user-submitted tutorials.
Post Reply
berg128
Normal user
Normal user
Posts: 51
Joined: 2021-01-07 08:41

Adding warning to message only if it contains attachments

Post by berg128 » 2021-01-21 12:14

Hello,

I've seen the different solutions here to add warning messages to all external mail and the solutions in this post https://www.hmailserver.com/forum/viewt ... =7&t=29777 look very attractive so I can combine it with a rule to only apply it on selected domain (or not of course :wink: ).

But what I really need is a script which only fires when the message body contains an dangerous attachment or an url which maybe a phishing attempt.

This post https://www.hmailserver.com/forum/viewt ... 77#p224970 looks perfect to me to use as a start.

I would try and do it myself if I knew enough of vbs-scripting and the variables I could use but I rather trust your expertise and will post back the exact instructions once this is working fine on my implementation of HMS.

Thanks in advance for your contributions!
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Adding warning to message only if it contains attachments

Post by palinka » 2021-01-21 14:00

Before you can add a message for phishing, you need a way to determine if the message is phishing. Do you have a way of determining that?

ClamAV with SaneSecurity can pick out phishing heuristics. Do you have that installed/working?

You must have SpamAssassin working
You must have ClamAV working
You must have SaneSecurity signatures working with ClamAV

You could check X-Spam-Report header for a hit on phishing heuristics. If found, that would be the trigger (not called by rule). But you'd have to have a low score for phishing to allow the message to pass. The recommended scoring for phishing is high to push it above the delete threshold.

Why not just delete it?

berg128
Normal user
Normal user
Posts: 51
Joined: 2021-01-07 08:41

Re: Adding warning to message only if it contains attachments

Post by berg128 » 2021-01-21 15:17

Thanks Palinka,

To clarify:
  • The script should act only if an attachment is found or if any url is found in the message
  • The rule is to apply it only for one or more domains or to not apply it to certain domains (depending how you set up the rule)
I have SA en ClamAV working and will look into Sanesecurity but thats not the issue here.
(Turns out I have Sanesecurity via Securiteinfo :D )
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Adding warning to message only if it contains attachments

Post by palinka » 2021-01-25 04:19

berg128 wrote:
2021-01-21 15:17
Thanks Palinka,

To clarify:
  • The script should act only if an attachment is found or if any url is found in the message
  • The rule is to apply it only for one or more domains or to not apply it to certain domains (depending how you set up the rule)
I have SA en ClamAV working and will look into Sanesecurity but thats not the issue here.
(Turns out I have Sanesecurity via Securiteinfo :D )
Try this:

Code: Select all

REM - Function Lookup - https://www.hmailserver.com/forum/viewtopic.php?p=212052
Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Sub OnDeliverMessage(oMessage)

	strRegEx = "Phishing"
	If Lookup(strRegEx, oMessage.HeaderValue("X-Spam-Report")) Then
	
		REM - Add warning to emails - https://www.hmailserver.com/forum/viewtopic.php?p=224970#p224970
		Dim txtMsg, aspMsg
		If oMessage.HeaderValue("X-hMailServer-LoopCount") = "" Then
			If oMessage.HasBodyType("text/plain") Then
			txtMsg = "          ***********************************************************************" & vbCrLf &_
					 "          * CAUTION: This email originated from outside of the organization. Do *" & vbCrLf &_
					 "          * not click links or open attachments unless you recognize the sender *" & vbCrLf &_
					 "          *                     and know the content is safe.                   *" & vbCrLf &_
					 "          ***********************************************************************" & vbCrLf &_
					 "                                                                                 " & vbCrLf
			oMessage.Body = txtMsg & oMessage.Body
		End If
		If oMessage.HasBodyType("text/html") Then
			aspMsg = "<table cellpadding='20' width='650' border='0' align='center' style='background-color: Tomato; font-family: Arial; font-size: 12px; text-align: center;'>" &_
					 "<tbody>" &_
					  "<tr>" &_
					  "<th scope='col'>" &_
					  "CAUTION: This email originated from outside of the organization. Do " &_
					  "not click links or open attachments unless you recognize the sender " &_
					  "and know the content is safe." &_
					  "</th>" &_
					 "</tr>" &_
					 "</tbody>" &_
					 "</table><br>"
			oMessage.HTMLBody = aspMsg & oMessage.HTMLBody
		End If
			oMessage.save
		End If
	
	End If

End Sub
This is NOT tested.

The code is triggered on each message. All I did was wrap the code you linked in an if statement that looks for the word "Phishing" in header X-Spam-Report. You don't need any rules for this to work. However, as I said before, you need the following prerequisites:

Spamassassin
ClamAV
SaneSecurity definitions for ClamAV
Spamassassin configured to test messages using ClamAV

Here's an example of what would appear in message headers using the above configuration:

Code: Select all

X-Spam-Status: 	Yes, score=13.3 required=3.0 tests=ADD_TO_SCORE,CLAMAV, HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=disabled version=3.4.0
X-Spam-Virus: 	Yes (Heuristics.Phishing.Email.SpoofedDomain)
X-Spam-Report: 	
 * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust 
 * [192.86.51.102 listed in list.dnswl.org] 
 * 2.2 ADD_TO_SCORE BODY: This simply adds 2.2 to the score 
 * 0.0 HTML_MESSAGE BODY: HTML included in message 
 * 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 
 * 10 CLAMAV Clam AntiVirus detected a virus 
 * [Heuristics.Phishing.Email.SpoofedDomain] 
 * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
Note the spamassassin score for a hit on ClamAV: 10. That should be enough to delete any message. You would necessarily need to reduce that to almost nothing in order to keep the total score below your delete threshold.

That's why I asked earlier about why not just allow these messages to be deleted? I haven't seen this triggered much on my system and I don't believe I've had any false positives. Of course, I block a lot of spam before it even gets to DATA, but that's a different story. :D

Some hints here to get you started with SA/ClamAV/heuristics: https://hmailserver.com/forum/viewtopic ... 43#p206943

berg128
Normal user
Normal user
Posts: 51
Joined: 2021-01-07 08:41

Re: Adding warning to message only if it contains attachments

Post by berg128 » 2021-01-25 22:26

Thanks Palinka for your tips but.... :)

What I'm trying to achieve is to have a warning message added to an email which either contains an url or has one or more attachments.

It is an extra to the normal Spam/Fishing/antivirus checks already in place in HMS but which offer no warranty an attachment is virusfree or has no spam or fishing-url in it. Of course if it has a virus or has a high spam value the message will be deleted in that proces, but if it passes through this warning message will be added.

Doin this on a message which is going to be delivered to an user we can thus maybe prevent them from opening the attachment or clicking on an url which may contain e.g. a fishing attempt.

So it should be triggered after spam and viruscheck and just before it is delivered and then preferrable via a rule which contains the domain name of the receiving party after they have choosen to have this warning in external mail.

Hope this is clear for now
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Adding warning to message only if it contains attachments

Post by palinka » 2021-01-25 23:53

berg128 wrote:
2021-01-25 22:26
Thanks Palinka for your tips but.... :)

What I'm trying to achieve is to have a warning message added to an email which either contains an url or has one or more attachments.
Let's start over.

How will you determine whether a url or attachment is one that needs to be flagged?

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Adding warning to message only if it contains attachments

Post by SorenR » 2021-01-26 00:40

berg128 wrote:
2021-01-25 22:26
Thanks Palinka for your tips but.... :)

What I'm trying to achieve is to have a warning message added to an email which either contains an url or has one or more attachments.

It is an extra to the normal Spam/Fishing/antivirus checks already in place in HMS but which offer no warranty an attachment is virusfree or has no spam or fishing-url in it. Of course if it has a virus or has a high spam value the message will be deleted in that proces, but if it passes through this warning message will be added.

Doin this on a message which is going to be delivered to an user we can thus maybe prevent them from opening the attachment or clicking on an url which may contain e.g. a fishing attempt.

So it should be triggered after spam and viruscheck and just before it is delivered and then preferrable via a rule which contains the domain name of the receiving party after they have choosen to have this warning in external mail.

Hope this is clear for now
You know, there is a search function on this board...

https://www.hmailserver.com/forum/viewt ... ng#p186082

Read the thread from top to bottom as it describe multiple solutions.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

berg128
Normal user
Normal user
Posts: 51
Joined: 2021-01-07 08:41

Re: Adding warning to message only if it contains attachments

Post by berg128 » 2021-01-26 08:29

palinka wrote:
2021-01-25 23:53
How will you determine whether a url or attachment is one that needs to be flagged?
The presence of an url or an attachment is enough.
SorenR wrote:
2021-01-26 00:40
You know, there is a search function on this board...
I started this post mentioning this post in the first place. Can you tell where I can read how to get it to fire when an url or attachment is present?
As said before the part to call it from a rule is clear to me and I will get it done I guess. I'm just asking if somebody knows how to put in the condition I need.
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Adding warning to message only if it contains attachments

Post by palinka » 2021-01-26 14:01

berg128 wrote:
2021-01-26 08:29
palinka wrote:
2021-01-25 23:53
How will you determine whether a url or attachment is one that needs to be flagged?
The presence of an url or an attachment is enough.
If that's the case, then try this:

Code: Select all

REM - Function Lookup - https://www.hmailserver.com/forum/viewtopic.php?p=212052
Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Sub OnAcceptMessage(oClient, oMessage)

	REM - Add banner to messages with any url in body
	If oClient.Username = "" Then
		strRegEx = "https?:\/\/"
		If Lookup(strRegEx, oMessage.Body) or Lookup(strRegEx, oMessage.HTMLBody) Then
			REM - Add warning to emails - https://www.hmailserver.com/forum/viewtopic.php?p=224970#p224970
			Dim txtMsg, aspMsg
			If oMessage.HeaderValue("X-hMailServer-LoopCount") = "" Then
				If oMessage.HasBodyType("text/plain") Then
				txtMsg = "          ***********************************************************************" & vbCrLf &_
						 "          * CAUTION: This email originated from outside of the organization. Do *" & vbCrLf &_
						 "          * not click links or open attachments unless you recognize the sender *" & vbCrLf &_
						 "          *                     and know the content is safe.                   *" & vbCrLf &_
						 "          ***********************************************************************" & vbCrLf &_
						 "                                                                                 " & vbCrLf
				oMessage.Body = txtMsg & oMessage.Body
			End If
			If oMessage.HasBodyType("text/html") Then
				aspMsg = "<table cellpadding='20' width='650' border='0' align='center' style='background-color: Tomato; font-family: Arial; font-size: 12px; text-align: center;'>" &_
						 "<tbody>" &_
						  "<tr>" &_
						  "<th scope='col'>" &_
						  "CAUTION: This email originated from outside of the organization. Do " &_
						  "not click links or open attachments unless you recognize the sender " &_
						  "and know the content is safe." &_
						  "</th>" &_
						 "</tr>" &_
						 "</tbody>" &_
						 "</table><br>"
				oMessage.HTMLBody = aspMsg & oMessage.HTMLBody
			End If
				oMessage.save
			End If
		End If
	End If

End Sub
If client connection is not authenticated (every outside server, so only incoming mail) AND a URL appears in text or html body, then the banner insertion will be triggered.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Adding warning to message only if it contains attachments

Post by SorenR » 2021-01-26 15:11

berg128 wrote:
2021-01-26 08:29
palinka wrote:
2021-01-25 23:53
How will you determine whether a url or attachment is one that needs to be flagged?
The presence of an url or an attachment is enough.
SorenR wrote:
2021-01-26 00:40
You know, there is a search function on this board...
I started this post mentioning this post in the first place. Can you tell where I can read how to get it to fire when an url or attachment is present?
As said before the part to call it from a rule is clear to me and I will get it done I guess. I'm just asking if somebody knows how to put in the condition I need.
Either you create a rule to trigger on every incoming message and do the selection in a script procedure in EventHandlers.vbs OR you master RegEx enough to make the selection in a rule and then trigger a script procedure in EventHandlers.vbs.

Either way you must know how to write a script procedure.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

berg128
Normal user
Normal user
Posts: 51
Joined: 2021-01-07 08:41

Re: Adding warning to message only if it contains attachments

Post by berg128 » 2021-01-26 15:31

palinka wrote:
2021-01-26 14:01

If that's the case, then try this:
If client connection is not authenticated (every outside server, so only incoming mail) AND a URL appears in text or html body, then the banner insertion will be triggered.
Thanks Palinka that looks like a start, I just hadn't had the guts and enough knowledge where to put the condition. Two questions though:
  • Will this include both http:// and https:// ?
  • How to test if an email has an attachment?
SorenR wrote:
2021-01-26 15:11
Either you create a rule to trigger on every incoming message and do the selection in a script procedure in EventHandlers.vbs OR you master RegEx enough to make the selection in a rule and then trigger a script procedure in EventHandlers.vbs.

Either way you must know how to write a script procedure.
That's my problem indeed, I know enough to be able to understand what's happening but not enough to achieve that myself.....hence my question.

From Palinka's answer I now learned how to put in a condition in his former script, now I need a suggestion to test on a attachment.
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Adding warning to message only if it contains attachments

Post by palinka » 2021-01-26 16:16

berg128 wrote:
2021-01-26 15:31
  • Will this include both http:// and https:// ?
Yes: https://regex101.com/r/LjwwEY/1
  • How to test if an email has an attachment?
If oMessage.Attachments.Count > 0 Then

So to add it to the above example, where you will test:
IF
* sender not local
AND
* http/https not present in message body
OR
* http/https not present in message HTML body
OR
* message has attachment

Then:

Code: Select all

		If Lookup(strRegEx, oMessage.Body) or Lookup(strRegEx, oMessage.HTMLBody) or oMessage.Attachments.Count > 0 Then

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Adding warning to message only if it contains attachments

Post by SorenR » 2021-01-26 17:06

berg128 wrote:
2021-01-26 15:31
SorenR wrote:
2021-01-26 15:11
Either you create a rule to trigger on every incoming message and do the selection in a script procedure in EventHandlers.vbs OR you master RegEx enough to make the selection in a rule and then trigger a script procedure in EventHandlers.vbs.

Either way you must know how to write a script procedure.
That's my problem indeed, I know enough to be able to understand what's happening but not enough to achieve that myself.....hence my question.

From Palinka's answer I now learned how to put in a condition in his former script, now I need a suggestion to test on a attachment.
Well, Then you are "Palinka" about 1 year ago. We are all struck by a pandemic - where can you go?

https://www.amazon.com/Vbscript-Dummies ... 0764500309

https://www.tutorialspoint.com/vbscript/index.htm

Since hMailServer use the WSH (Windows Scripting Host) embedded in the code, it is missing "The Shell" thus there are a few things you can't do as they rely on "The Shell" like "sleep x" or "msgbox y" but not to worry, we got your back on those. :mrgreen:

There are thousands of lines of code in this forum to learn from and most beginners do actually embrace "cut and paste" shamelessly ... :mrgreen: ... Best way to learn by the way. "Learning by doing". Same way I wrote my first inventory system in Basic on a Sinclair ZX81 back in 1982 :wink:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Adding warning to message only if it contains attachments

Post by palinka » 2021-01-26 18:04

SorenR wrote:
2021-01-26 17:06
Well, Then you are "Palinka" about 1 year ago. We are all struck by a pandemic - where can you go?
Come on, man! Look, here's the deal - it was longer than that - At least 16 months!

Don't need no stinkin' books for learnin' stuff! Just pester Soren until he teaches you everything. :mrgreen:

berg128
Normal user
Normal user
Posts: 51
Joined: 2021-01-07 08:41

Re: Adding warning to message only if it contains attachments

Post by berg128 » 2021-01-29 23:51

palinka wrote:
2021-01-26 16:16
berg128 wrote:
2021-01-26 15:31
  • Will this include both http:// and https:// ?
Yes: https://regex101.com/r/LjwwEY/1
Top! :)
palinka wrote:
2021-01-26 16:16

Then:

Code: Select all

		If Lookup(strRegEx, oMessage.Body) or Lookup(strRegEx, oMessage.HTMLBody) or oMessage.Attachments.Count > 0 Then
Great! Many thanks Palinka!
SorenR wrote:
2021-01-26 17:06

Well, Then you are "Palinka" about 1 year ago. We are all struck by a pandemic - where can you go?

Since hMailServer use the WSH (Windows Scripting Host) embedded in the code, it is missing "The Shell" thus there are a few things you can't do as they rely on "The Shell" like "sleep x" or "msgbox y" but not to worry, we got your back on those. :mrgreen:

There are thousands of lines of code in this forum to learn from and most beginners do actually embrace "cut and paste" shamelessly ... :mrgreen: ... Best way to learn by the way. "Learning by doing". Same way I wrote my first inventory system in Basic on a Sinclair ZX81 back in 1982 :wink:
My learning curve is much steaper than Palinka's so I'll probably be there in a few months.... :mrgreen:

But no kidding that's indeed the way I'm learning: mixture of trial and error, reading, copying and not being afraid to ask.

I'm leaning heavily on you all I know....and I'm very gratefull for that. Also hope my questions will be usefull for others.
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs :)

Post Reply