Block ZIP for everyone exept one...

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
alleseitle
New user
New user
Posts: 6
Joined: 2016-05-23 14:00

Block ZIP for everyone exept one...

Post by alleseitle » 2016-05-23 14:03

Hello!

Since the bomb us now with ZIPs with JS, EXE, SCR and so on, I want to block ZIP Attachments. Of Course I read how to do that - BUT:

ONE User NEEDs ZIPs to go throgh (he gets activation keys for Cinema Movies in ZIP Files). How can I realize to make an exeption for this one user?

thanks for any help!

daniel

User avatar
jimimaseye
Moderator
Moderator
Posts: 8349
Joined: 2011-09-08 17:48

Re: Block ZIP for everyone exept one...

Post by jimimaseye » 2016-05-23 14:49

You can only do it with a script.

Start with this script: viewtopic.php?p=165892#p165892

You can then modify it to apply to individual users as you wish.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: Block ZIP for everyone exept one...

Post by tochi » 2016-05-23 19:04

Maybe you don't have to block all zip files. With Clam AV and SaneSecurity def. you can choose different protection levels. For example, you may want to allow zip files which contain no dangerous file types (.exe, .scr....).

Please see the link.
viewtopic.php?f=7&t=29329&p=184108&hili ... hi#p184103

alleseitle
New user
New user
Posts: 6
Joined: 2016-05-23 14:00

Re: Block ZIP for everyone exept one...

Post by alleseitle » 2016-05-25 00:18

Hello!

Thank you for your replies.

I have to obmit, that I do usually other Things than configurating Mailservers and AV Solutions. I was really confused by the linked Posts (which I already read before I started this Thread).

ClaimAV and ClaimWin are even thogh there Names very confusing (in Config Files, Settings etc there is all mixed up) - however:

ClaimAV Service is no way to install with the "claimd --install" different Errors, DLL Errors and so on depending on the Version.

So I decided to use ClaimWin even tho the extreme problematic Performance while scanning.

Anyway: it works with the alternate Signitures to remove Exe, SCR and JS.

I am a Little surprised, that "BAT" files in "ZIPs" are not killed - how to get that? (also CMDs etc - simply everything what can be "runned" I want to be removed from Emails)

greetings daniel

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: Block ZIP for everyone exept one...

Post by tochi » 2016-05-25 00:57

I use Clam AV (not Clam Win) and installed it as a service with no issue at all. Though I forgot how I installed it as a service. Probably I did it with NSSM.

Have you enabled foxhole_all.cdb? According to SaneSecurity descriptions, it should be able to detect .bat and .cmd.

Make sure your ClamSup.ini includes the following.

Code: Select all

# SaneSecurity foxhole_all.cdb - Foxhole_all sigs [HIGH FP RISK]
rsync://rsync.sanesecurity.net/sanesecurity;foxhole_all.cdb;N;Y;Y;N;N

User avatar
Dravion
Senior user
Senior user
Posts: 1635
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Block ZIP for everyone exept one...

Post by Dravion » 2016-05-25 01:25

Instead of blacklisting specific file extensions you should consider using a whitelist.There are also options on the DNS Layer (for instance Binds RRL+RPZ feature) which can block entire DNS-servers from Russian, Chineese and Nigerian Roguenetworks in the firstplace so your hMailServer will not be contacted by this Idiots in the first place (this very expensive for the attackers to mitigate) flooding can be reduced by the firewall with connection rate limiting.

DPS
New user
New user
Posts: 4
Joined: 2016-02-22 23:24

Re: Block ZIP for everyone exept one...

Post by DPS » 2016-05-25 18:41

I wrote a whilelist script a while back that has configurable per-user whitelists in addition to a global one. If you're interested, let me know.

alleseitle
New user
New user
Posts: 6
Joined: 2016-05-23 14:00

Re: Block ZIP for everyone exept one...

Post by alleseitle » 2016-05-25 19:44

Hello!

Thank you again!

Whitelisting is no Option at this Point (you know, I cannot forbit anything for my customers). I added a lot of Signitures - I understand that I can add as much as i want - correct?

A stupid question at the end: Should I deactivate the automatic Signature Update Feature in the Preferences of CalmWin?

greetings from Austria...

tochi
Senior user
Senior user
Posts: 278
Joined: 2015-07-28 22:55

Re: Block ZIP for everyone exept one...

Post by tochi » 2016-05-25 20:02

Yes. You can add whatever signatures you want. Just remember don't set update interval shorter than 1 hour.
In my experience, Clam AV can hardly detect any virus with its own database. But it has never had false positive either. It doesn't hurt to keep updating its signatures.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8349
Joined: 2011-09-08 17:48

Re: Block ZIP for everyone exept one...

Post by jimimaseye » 2016-05-25 20:31

alleseitle wrote:ClaimAV and ClaimWin are even thogh there Names very confusing (in Config Files, Settings etc there is all mixed up) - however:

ClaimAV Service is no way to install with the "claimd --install" different Errors, DLL Errors and so on depending on the Version.
If you followed my instruction here: viewtopic.php?f=21&t=26829 then you will not have problems installing Clamd service with Clamwin. (If you have tried, and failed, you hae done something wrong. Stop, uninstall and start again from scratch).

If you rely on ClamWIN ALONE (without the service) you are asking for trouble if your server gets busier than anything more than 'occasional use'. (eg, if you receive 3 emails at the same time then Clamwin will stop your server for 30seconds due to its high CPU).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

alleseitle
New user
New user
Posts: 6
Joined: 2016-05-23 14:00

Re: Block ZIP for everyone exept one...

Post by alleseitle » 2016-05-26 15:17

Hello!

Yes I used this Manual and stopped as you wrote because the versions do not match...
Maybe I will try later.

Anyway: even with all Filenames included and other signatures the .js Files are NOT blocked in ZIP files - what can I do about that?

sanesecurity
New user
New user
Posts: 16
Joined: 2011-11-02 17:20

Re: Block ZIP for everyone exept one...

Post by sanesecurity » 2016-05-26 16:03

alleseitle wrote: Anyway: even with all Filenames included and other signatures the .js Files are NOT blocked in ZIP files - what can I do about that?
foxhole_js.cdb will block .js in zip files.

Cheers,

Steve
Sanesecurity.com

alleseitle
New user
New user
Posts: 6
Joined: 2016-05-23 14:00

Re: Block ZIP for everyone exept one...

Post by alleseitle » 2016-05-26 23:04

Hello!

Thanks again - the foxhole_js.cdb was already in my list BUT hat a SPACE at the end what was the Problem.

Today still one Version 0.99.1 and the other one 0.99.2 so I have to wait.

Should ClamWin automatic Signiture Update be active or not?

greetings daniel

User avatar
jimimaseye
Moderator
Moderator
Posts: 8349
Joined: 2011-09-08 17:48

Re: Block ZIP for everyone exept one...

Post by jimimaseye » 2016-05-26 23:10

Just install Clamwin and Clamd version 99.1 - the changes in.2 are negligible and you will not be missing anything. I have provided it here for you from my system. (I think oss.netfarm has gone to 0.99.2 right?)
clamd_099_1.zip
0.99.1 ClamD
(43.89 KiB) Downloaded 236 times
Clamwin signature update should always be enabled (configure it to suit in your preferences). Sane security should be set to download once an hour through Task Scheduler.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

alleseitle
New user
New user
Posts: 6
Joined: 2016-05-23 14:00

Re: Block ZIP for everyone exept one...

Post by alleseitle » 2016-06-23 06:32

Hello!

Finally I changed to ClamAV and everything is fine!

Thanks for your help anyone!

Greetings from Austria - Daniel

User avatar
RvdH
Senior user
Senior user
Posts: 918
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block ZIP for everyone exept one...

Post by RvdH » 2016-06-25 07:13

I took a different approach, as I also could not block zip attachments from/to clients as many of them use them to send/receive pictures, design stuff like Illustrator or Photoshop files
Everything below does not replace the functionality of the excluded files as in the antivirus blocked attachments panel in hmailadmin, I blocked about everything except Zip Archives in there!

Written in .NET 4.5, tiny console application that can be run from eventhandlers.vbs

Code: Select all

			dim ExitCode
			Dim WshShell : set WshShell = CreateObject("WScript.Shell")
			ExitCode = WshShell.Run("""C:\Program Files (x86)\hMailServer\Events\ScanZipArchive.exe"" """ & ZipFile & """",0,True)
Functionality:
  • Examine Zip Archive header (confirm it is actually a Zip Archive)
  • List files contained within the Zip Archive
  • Compare list with the files within the Zip Archive with a array of disallowed extensions (for example: *.js, *.vbs)
With it returning exitcodes i managed script eventhandlers.vbs to:
  • Delete archives with disallowed extensions in it
  • Quarantine damaged, fake and/or Zip attachments with disallowed extensions in it
  • Add Pseudo Attachment with blocked message (1)
(1) I also choose the message returned to the user should be like the original blocked attachments message (by using a template) in the attachment being added as *.txt file

It works pretty well i must say...if there is any interest i could try to pack it up and share it here
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20622
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block ZIP for everyone exept one...

Post by mattg » 2016-06-25 08:03

If you are happy to share, please do so.
One day someone will want to do almost exactly as you have done
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20622
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block ZIP for everyone exept one...

Post by mattg » 2016-06-25 10:09

Thanks for the write up.
I moved it here >> viewtopic.php?f=21&t=30002
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 918
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Block ZIP for everyone exept one...

Post by RvdH » 2016-06-25 10:11

You might wanna change it's title, it's a bit confusing now

Block ZIP by disallowed included extensions or something...
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20622
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block ZIP for everyone exept one...

Post by mattg » 2016-06-25 13:04

better??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply