Adding warning to message only if it contains attachments
Adding warning to message only if it contains attachments
Hello,
I've seen the different solutions here to add warning messages to all external mail and the solutions in this post https://www.hmailserver.com/forum/viewt ... =7&t=29777 look very attractive so I can combine it with a rule to only apply it on selected domain (or not of course ).
But what I really need is a script which only fires when the message body contains an dangerous attachment or an url which maybe a phishing attempt.
This post https://www.hmailserver.com/forum/viewt ... 77#p224970 looks perfect to me to use as a start.
I would try and do it myself if I knew enough of vbs-scripting and the variables I could use but I rather trust your expertise and will post back the exact instructions once this is working fine on my implementation of HMS.
Thanks in advance for your contributions!
I've seen the different solutions here to add warning messages to all external mail and the solutions in this post https://www.hmailserver.com/forum/viewt ... =7&t=29777 look very attractive so I can combine it with a rule to only apply it on selected domain (or not of course ).
But what I really need is a script which only fires when the message body contains an dangerous attachment or an url which maybe a phishing attempt.
This post https://www.hmailserver.com/forum/viewt ... 77#p224970 looks perfect to me to use as a start.
I would try and do it myself if I knew enough of vbs-scripting and the variables I could use but I rather trust your expertise and will post back the exact instructions once this is working fine on my implementation of HMS.
Thanks in advance for your contributions!
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs
Re: Adding warning to message only if it contains attachments
Before you can add a message for phishing, you need a way to determine if the message is phishing. Do you have a way of determining that?
ClamAV with SaneSecurity can pick out phishing heuristics. Do you have that installed/working?
You must have SpamAssassin working
You must have ClamAV working
You must have SaneSecurity signatures working with ClamAV
You could check X-Spam-Report header for a hit on phishing heuristics. If found, that would be the trigger (not called by rule). But you'd have to have a low score for phishing to allow the message to pass. The recommended scoring for phishing is high to push it above the delete threshold.
Why not just delete it?
ClamAV with SaneSecurity can pick out phishing heuristics. Do you have that installed/working?
You must have SpamAssassin working
You must have ClamAV working
You must have SaneSecurity signatures working with ClamAV
You could check X-Spam-Report header for a hit on phishing heuristics. If found, that would be the trigger (not called by rule). But you'd have to have a low score for phishing to allow the message to pass. The recommended scoring for phishing is high to push it above the delete threshold.
Why not just delete it?
Re: Adding warning to message only if it contains attachments
Thanks Palinka,
To clarify:
(Turns out I have Sanesecurity via Securiteinfo )
To clarify:
- The script should act only if an attachment is found or if any url is found in the message
- The rule is to apply it only for one or more domains or to not apply it to certain domains (depending how you set up the rule)
(Turns out I have Sanesecurity via Securiteinfo )
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs
Re: Adding warning to message only if it contains attachments
Try this:berg128 wrote: ↑2021-01-21 15:17Thanks Palinka,
To clarify:
- The script should act only if an attachment is found or if any url is found in the message
I have SA en ClamAV working and will look into Sanesecurity but thats not the issue here.
- The rule is to apply it only for one or more domains or to not apply it to certain domains (depending how you set up the rule)
(Turns out I have Sanesecurity via Securiteinfo )
Code: Select all
REM - Function Lookup - https://www.hmailserver.com/forum/viewtopic.php?p=212052
Function Lookup(strRegEx, strMatch) : Lookup = False
With CreateObject("VBScript.RegExp")
.Pattern = strRegEx
.Global = False
.MultiLine = True
.IgnoreCase = True
If .Test(strMatch) Then Lookup = True
End With
End Function
Sub OnDeliverMessage(oMessage)
strRegEx = "Phishing"
If Lookup(strRegEx, oMessage.HeaderValue("X-Spam-Report")) Then
REM - Add warning to emails - https://www.hmailserver.com/forum/viewtopic.php?p=224970#p224970
Dim txtMsg, aspMsg
If oMessage.HeaderValue("X-hMailServer-LoopCount") = "" Then
If oMessage.HasBodyType("text/plain") Then
txtMsg = " ***********************************************************************" & vbCrLf &_
" * CAUTION: This email originated from outside of the organization. Do *" & vbCrLf &_
" * not click links or open attachments unless you recognize the sender *" & vbCrLf &_
" * and know the content is safe. *" & vbCrLf &_
" ***********************************************************************" & vbCrLf &_
" " & vbCrLf
oMessage.Body = txtMsg & oMessage.Body
End If
If oMessage.HasBodyType("text/html") Then
aspMsg = "<table cellpadding='20' width='650' border='0' align='center' style='background-color: Tomato; font-family: Arial; font-size: 12px; text-align: center;'>" &_
"<tbody>" &_
"<tr>" &_
"<th scope='col'>" &_
"CAUTION: This email originated from outside of the organization. Do " &_
"not click links or open attachments unless you recognize the sender " &_
"and know the content is safe." &_
"</th>" &_
"</tr>" &_
"</tbody>" &_
"</table><br>"
oMessage.HTMLBody = aspMsg & oMessage.HTMLBody
End If
oMessage.save
End If
End If
End Sub
The code is triggered on each message. All I did was wrap the code you linked in an if statement that looks for the word "Phishing" in header X-Spam-Report. You don't need any rules for this to work. However, as I said before, you need the following prerequisites:
Spamassassin
ClamAV
SaneSecurity definitions for ClamAV
Spamassassin configured to test messages using ClamAV
Here's an example of what would appear in message headers using the above configuration:
Code: Select all
X-Spam-Status: Yes, score=13.3 required=3.0 tests=ADD_TO_SCORE,CLAMAV, HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=disabled version=3.4.0
X-Spam-Virus: Yes (Heuristics.Phishing.Email.SpoofedDomain)
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust
* [192.86.51.102 listed in list.dnswl.org]
* 2.2 ADD_TO_SCORE BODY: This simply adds 2.2 to the score
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 10 CLAMAV Clam AntiVirus detected a virus
* [Heuristics.Phishing.Email.SpoofedDomain]
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
That's why I asked earlier about why not just allow these messages to be deleted? I haven't seen this triggered much on my system and I don't believe I've had any false positives. Of course, I block a lot of spam before it even gets to DATA, but that's a different story.
Some hints here to get you started with SA/ClamAV/heuristics: https://hmailserver.com/forum/viewtopic ... 43#p206943
Re: Adding warning to message only if it contains attachments
Thanks Palinka for your tips but....
What I'm trying to achieve is to have a warning message added to an email which either contains an url or has one or more attachments.
It is an extra to the normal Spam/Fishing/antivirus checks already in place in HMS but which offer no warranty an attachment is virusfree or has no spam or fishing-url in it. Of course if it has a virus or has a high spam value the message will be deleted in that proces, but if it passes through this warning message will be added.
Doin this on a message which is going to be delivered to an user we can thus maybe prevent them from opening the attachment or clicking on an url which may contain e.g. a fishing attempt.
So it should be triggered after spam and viruscheck and just before it is delivered and then preferrable via a rule which contains the domain name of the receiving party after they have choosen to have this warning in external mail.
Hope this is clear for now
What I'm trying to achieve is to have a warning message added to an email which either contains an url or has one or more attachments.
It is an extra to the normal Spam/Fishing/antivirus checks already in place in HMS but which offer no warranty an attachment is virusfree or has no spam or fishing-url in it. Of course if it has a virus or has a high spam value the message will be deleted in that proces, but if it passes through this warning message will be added.
Doin this on a message which is going to be delivered to an user we can thus maybe prevent them from opening the attachment or clicking on an url which may contain e.g. a fishing attempt.
So it should be triggered after spam and viruscheck and just before it is delivered and then preferrable via a rule which contains the domain name of the receiving party after they have choosen to have this warning in external mail.
Hope this is clear for now
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs
Re: Adding warning to message only if it contains attachments
Let's start over.
How will you determine whether a url or attachment is one that needs to be flagged?
Re: Adding warning to message only if it contains attachments
You know, there is a search function on this board...berg128 wrote: ↑2021-01-25 22:26Thanks Palinka for your tips but....
What I'm trying to achieve is to have a warning message added to an email which either contains an url or has one or more attachments.
It is an extra to the normal Spam/Fishing/antivirus checks already in place in HMS but which offer no warranty an attachment is virusfree or has no spam or fishing-url in it. Of course if it has a virus or has a high spam value the message will be deleted in that proces, but if it passes through this warning message will be added.
Doin this on a message which is going to be delivered to an user we can thus maybe prevent them from opening the attachment or clicking on an url which may contain e.g. a fishing attempt.
So it should be triggered after spam and viruscheck and just before it is delivered and then preferrable via a rule which contains the domain name of the receiving party after they have choosen to have this warning in external mail.
Hope this is clear for now
https://www.hmailserver.com/forum/viewt ... ng#p186082
Read the thread from top to bottom as it describe multiple solutions.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Adding warning to message only if it contains attachments
The presence of an url or an attachment is enough.
I started this post mentioning this post in the first place. Can you tell where I can read how to get it to fire when an url or attachment is present?
As said before the part to call it from a rule is clear to me and I will get it done I guess. I'm just asking if somebody knows how to put in the condition I need.
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs
Re: Adding warning to message only if it contains attachments
If that's the case, then try this:
Code: Select all
REM - Function Lookup - https://www.hmailserver.com/forum/viewtopic.php?p=212052
Function Lookup(strRegEx, strMatch) : Lookup = False
With CreateObject("VBScript.RegExp")
.Pattern = strRegEx
.Global = False
.MultiLine = True
.IgnoreCase = True
If .Test(strMatch) Then Lookup = True
End With
End Function
Sub OnAcceptMessage(oClient, oMessage)
REM - Add banner to messages with any url in body
If oClient.Username = "" Then
strRegEx = "https?:\/\/"
If Lookup(strRegEx, oMessage.Body) or Lookup(strRegEx, oMessage.HTMLBody) Then
REM - Add warning to emails - https://www.hmailserver.com/forum/viewtopic.php?p=224970#p224970
Dim txtMsg, aspMsg
If oMessage.HeaderValue("X-hMailServer-LoopCount") = "" Then
If oMessage.HasBodyType("text/plain") Then
txtMsg = " ***********************************************************************" & vbCrLf &_
" * CAUTION: This email originated from outside of the organization. Do *" & vbCrLf &_
" * not click links or open attachments unless you recognize the sender *" & vbCrLf &_
" * and know the content is safe. *" & vbCrLf &_
" ***********************************************************************" & vbCrLf &_
" " & vbCrLf
oMessage.Body = txtMsg & oMessage.Body
End If
If oMessage.HasBodyType("text/html") Then
aspMsg = "<table cellpadding='20' width='650' border='0' align='center' style='background-color: Tomato; font-family: Arial; font-size: 12px; text-align: center;'>" &_
"<tbody>" &_
"<tr>" &_
"<th scope='col'>" &_
"CAUTION: This email originated from outside of the organization. Do " &_
"not click links or open attachments unless you recognize the sender " &_
"and know the content is safe." &_
"</th>" &_
"</tr>" &_
"</tbody>" &_
"</table><br>"
oMessage.HTMLBody = aspMsg & oMessage.HTMLBody
End If
oMessage.save
End If
End If
End If
End Sub
Re: Adding warning to message only if it contains attachments
Either you create a rule to trigger on every incoming message and do the selection in a script procedure in EventHandlers.vbs OR you master RegEx enough to make the selection in a rule and then trigger a script procedure in EventHandlers.vbs.berg128 wrote: ↑2021-01-26 08:29The presence of an url or an attachment is enough.
I started this post mentioning this post in the first place. Can you tell where I can read how to get it to fire when an url or attachment is present?
As said before the part to call it from a rule is clear to me and I will get it done I guess. I'm just asking if somebody knows how to put in the condition I need.
Either way you must know how to write a script procedure.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Adding warning to message only if it contains attachments
Thanks Palinka that looks like a start, I just hadn't had the guts and enough knowledge where to put the condition. Two questions though:
- Will this include both http:// and https:// ?
- How to test if an email has an attachment?
That's my problem indeed, I know enough to be able to understand what's happening but not enough to achieve that myself.....hence my question.SorenR wrote: ↑2021-01-26 15:11Either you create a rule to trigger on every incoming message and do the selection in a script procedure in EventHandlers.vbs OR you master RegEx enough to make the selection in a rule and then trigger a script procedure in EventHandlers.vbs.
Either way you must know how to write a script procedure.
From Palinka's answer I now learned how to put in a condition in his former script, now I need a suggestion to test on a attachment.
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs
Re: Adding warning to message only if it contains attachments
Yes: https://regex101.com/r/LjwwEY/1
If oMessage.Attachments.Count > 0 Then
- How to test if an email has an attachment?
So to add it to the above example, where you will test:
IF
* sender not local
AND
* http/https not present in message body
OR
* http/https not present in message HTML body
OR
* message has attachment
Then:
Code: Select all
If Lookup(strRegEx, oMessage.Body) or Lookup(strRegEx, oMessage.HTMLBody) or oMessage.Attachments.Count > 0 Then
Re: Adding warning to message only if it contains attachments
Well, Then you are "Palinka" about 1 year ago. We are all struck by a pandemic - where can you go?berg128 wrote: ↑2021-01-26 15:31That's my problem indeed, I know enough to be able to understand what's happening but not enough to achieve that myself.....hence my question.SorenR wrote: ↑2021-01-26 15:11Either you create a rule to trigger on every incoming message and do the selection in a script procedure in EventHandlers.vbs OR you master RegEx enough to make the selection in a rule and then trigger a script procedure in EventHandlers.vbs.
Either way you must know how to write a script procedure.
From Palinka's answer I now learned how to put in a condition in his former script, now I need a suggestion to test on a attachment.
https://www.amazon.com/Vbscript-Dummies ... 0764500309
https://www.tutorialspoint.com/vbscript/index.htm
Since hMailServer use the WSH (Windows Scripting Host) embedded in the code, it is missing "The Shell" thus there are a few things you can't do as they rely on "The Shell" like "sleep x" or "msgbox y" but not to worry, we got your back on those.
There are thousands of lines of code in this forum to learn from and most beginners do actually embrace "cut and paste" shamelessly ... ... Best way to learn by the way. "Learning by doing". Same way I wrote my first inventory system in Basic on a Sinclair ZX81 back in 1982
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Adding warning to message only if it contains attachments
Come on, man! Look, here's the deal - it was longer than that - At least 16 months!
Don't need no stinkin' books for learnin' stuff! Just pester Soren until he teaches you everything.
Re: Adding warning to message only if it contains attachments
Top!
Great! Many thanks Palinka!palinka wrote: ↑2021-01-26 16:16
Then:Code: Select all
If Lookup(strRegEx, oMessage.Body) or Lookup(strRegEx, oMessage.HTMLBody) or oMessage.Attachments.Count > 0 Then
My learning curve is much steaper than Palinka's so I'll probably be there in a few months....SorenR wrote: ↑2021-01-26 17:06
Well, Then you are "Palinka" about 1 year ago. We are all struck by a pandemic - where can you go?
Since hMailServer use the WSH (Windows Scripting Host) embedded in the code, it is missing "The Shell" thus there are a few things you can't do as they rely on "The Shell" like "sleep x" or "msgbox y" but not to worry, we got your back on those.
There are thousands of lines of code in this forum to learn from and most beginners do actually embrace "cut and paste" shamelessly ... ... Best way to learn by the way. "Learning by doing". Same way I wrote my first inventory system in Basic on a Sinclair ZX81 back in 1982
But no kidding that's indeed the way I'm learning: mixture of trial and error, reading, copying and not being afraid to ask.
I'm leaning heavily on you all I know....and I'm very gratefull for that. Also hope my questions will be usefull for others.
Mail Experience: Mdaemon 23 yrs Exchange 22 yrs HMS 0,16 yrs