Easy Spam Fighter 1.11

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,921
Hello,

I've released Easy Spam Fighter 1.11.
This release has added support for default file extension blocking, and has the ability to extract and scan a zip file for any malicious extensions.
Main new file is here:
http://files.directadmin.com/services/easy_spam_fighter/1.11/check_mime.conf

with the zip scanning script here:
http://files.directadmin.com/services/easy_spam_fighter/1.11/exim_check_attachment.sh

This change requires the new exim.conf SpamBlocker 4.4.3 or newer.

Default extensions that are blocked:
Code:
.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs|\.cpl
and the zip scan will block zips with:
Code:
bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip|js
which may need to be tweaked depending on the consensus.

Note that the mime type blocks are smtp-time blocks, so if an email is rejected, the sender should be notified, so adjustments can be made to the payload, or to the scripts.

John
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Can you also add a script to check tar/tar.gz? It should be quite easy to create new ones for different format from the original one.
Can the extension be customized on a separate file?

Regards
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
I think you made a typo or another archiver is missing:
and the zip scan will block zips with:
Code:

bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip|js
Excluding .zip from a zipfile??? Why? If you would start blocking archives, it's best to also have .rar in this list because that's used a lot also.
However, if you block archives in archives by default, you also block any way for customers to still be able to send for example .exe files to other people, which is not good.
Arhives in archives are indeed a possibility for infection, but also -the- way to still being able to send stuff which is normally blocked.
So I would suggest not to have .zip included in here, or otherwise add .rar to it.
There are still several zipfiles spread with legal .msi files inside or .exe files (executables or self extracting .exe files).
 

Sahi

Verified User
Joined
Nov 10, 2011
Messages
27
I have some spam issues and just updated ESF and exim.conf, but there are still .zip files coming into the mailbox.
 

Sahi

Verified User
Joined
Nov 10, 2011
Messages
27
Do you have this file?
Code:
/usr/bin/unzip
John
Yes, i have the unzip file. I don't know what file is in the zip. Don't know if i can open it safely.

The other problem i have is that the email that is coming the IP in is op a RBL list. But the mail isn't rejected. What can i do about this?
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
I noticed that the spam reject message was also changed in this version but it is not working properly:
Code:
Your message to $local_part@$domain was classified as SPAM.  Please add more content...
The local_part and domain expansions are not available here. This should be changed to something like the following:
Code:
Your message to <$recipients> was classified as SPAM. Please add more content...
 

mmaxx

Verified User
Joined
May 26, 2006
Messages
23
Im using this, have unzip installed, sent known zip files with live .js locky in them but it went straight through the filter...
Is it because I am authenticated?

M
 

mmaxx

Verified User
Joined
May 26, 2006
Messages
23
Also while the advertisement here claims .js support the actual .sh file does not include .js extension as bannned inside zip.....
 

mmaxx

Verified User
Joined
May 26, 2006
Messages
23
shebang was also faulty (only matters for debugging)
Added logging of scans


#!/bin/sh

echo "In Zip check for message ID" ${1}>>/var/log/exim/zipcheck.log
if [ "${1}" != "zip" ]; then
echo "$0: we can only scan zip files";
exit 0
fi

UNZIP=/usr/bin/unzip

P=/var/spool/exim/scan/${2}
Z=${D}/${3}

cd "${P}"

if [ ! -s $Z ]; then
exit 0;
fi

if [ $( ${UNZIP} -l "${Z}" | \
tail -n +4 |head -n -2 | \
egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|js|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url)$' | \
wc -l ) -gt 0 ]
then
echo "Found banned extension in zip file" "${1}">>/var/log/exim/zipcheck.log
exit 1
fi

exit 0
 

ItsOnlyMe

Verified User
Joined
Apr 3, 2009
Messages
72
Location
Netherlands
Hi,

I was wondering if there is a way to have ESF SKIP the spf check if spamassassin has been disabled? or completely skip the ESF checks since i have a lot of users that use a external spamfilter which don't get past the SPF check since the external spamfilter becomes the sender of that mail what results in a SPF that is not correct.

Its not a option to disable this completely on the server since there are also users that do not have external mail filtering.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Not sure if that may help, but you may want to whitelist the IP's of the external mail filters in /etc/virtual/whitelist_hosts_ip

Best regards
 

ItsOnlyMe

Verified User
Joined
Apr 3, 2009
Messages
72
Location
Netherlands
Thanks SeLLeRoNe for your reply.

I have been thinking of doing that, but there is one thing. We manage a lot of servers so it would be time consuming to make sure IP's are added to the whitelist. Also a lot of customers use different company's to filter their mail.

We did whitelisted our own spamexperts servers in that file but can not do this for all the other hosts that filter mail and send them to our servers.

I have been trying to edit the ACL in order to check if the following file exists, if so it needs to set the "acl_m_esf_skip" to 1 and add a header that it skipped the checks. So far i am unable to manage to get this working in the correct way.
Code:
/home/|USER|/.spamassassin/user_pref
I try'd a lot of diffrent ways to get this working what i have now is:

Code:
accept
        condition = ${if exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}{no}{yes}}
        set acl_m_esf_skip = 1
        logwrite = $sender_address skipped extra spamchecks $domain disabled spamassassin.
        add_header = SPFSpamassassinCheck: Skipped, spamassassin disabled.
When mailing it adds this in the logs:

Code:
2016-11-04 14:52:53 [11572] SMTP connection from [188.166.62.193]:52686 I=[88.159.17.150]:25 (TCP/IP connection count = 1)
2016-11-04 14:52:54 [11633] xxx@xxx.nl skipped extra spamchecks  disabled spamassassin.
2016-11-04 14:52:54 [11633] DNS list lookup defer (probably timeout) for 193.62.166.188.list.dnswl.org: assumed not in list
2016-11-04 14:52:56 [11633] 1c2evQ-00031d-U1 DKIM: d=xxx.nl s=x c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2016-11-04 14:53:00 [11633] 1c2evQ-00031d-U1 ESF evalutation skipped. Score: -36
2016-11-04 14:53:00 [11633] 1c2evQ-00031d-U1 <= xxx@xxx.nl H=smarthost.xxx.nl [188.166.62.193]:52686 I=[88.159.17.150]:25 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=7587 M8S=0 id=8aa39c09c4ea31c3961b01f1e5943198@xxx.nl T="32" from <xxx@xxx.nl> for yyy@yyy.nl
2016-11-04 14:53:00 [11634] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c2evQ-00031d-U1
2016-11-04 14:53:00 [11633] SMTP connection from smarthost.xxx.nl [188.166.62.193]:52686 I=[88.159.17.150]:25 closed by QUIT
2016-11-04 14:53:00 [11634] 1c2evQ-00031d-U1 => yyy <yyy@yyy.nl> F=<xxx@xxx.nl> P=<xxx@xxx.nl> R=virtual_user T=dovecot_lmtp_udp S=7866 C="250 2.0.0 <yyy@yyy.nl> ZOfDJLySHFg4agAAc2rQkA Saved" QT=4s DT=0s
2016-11-04 14:53:00 [11634] 1c2evQ-00031d-U1 Completed QT=4s
It add this while spamassassin is enabled. If i disable it it does the same.

kind regards,
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Honestly i've no idea how to customize exim.conf and i woouldn't suggest it.

Disable SPF check is quite easy, you just need to set
EASY_SPF_SOFT_FAIL = 0
EASY_SPF_FAIL = 0

In /etc/exim.easy_spam_fighter/variables.conf

But this will actually disable the check for all, true is, if SpamAssassin is already checking the SPF, maybe this should be a working solution.

I would highly recommend you to contact DA Staff for a FR request, maybe they can edit the default exim.conf with a check with an additional variables, something like:
SKIP_ESF_IF_NO_SPAMASSASSIN=1

Best regards
 

johannes

Verified User
Joined
Feb 18, 2007
Messages
223
2 questions:

x) will the "exim_check_attachment.sh" becoming overwritten with new updates or is it somehow possible to export the list of blocked attachments in a .conf.custom as its done with exim variables and strings?
x) the "check_mime.conf" is blocking on default extensions - i am not sure yet but wasnt there another file where extension blocking was possible (sorry if i remember wrong)?
thanks
kind regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
exim.conf is reading those two files:
.include_if_exists /etc/exim.check_mime.conf.custom
.include_if_exists /etc/exim.easy_spam_fighter/check_mime.conf

Maybe John would need to clarify, i think the custom one should be loaded after, and maybe from the same ESF folder, something like:
.include_if_exists /etc/exim.easy_spam_fighter/check_mime.conf
.include_if_exists /etc/exim.easy_spam_fighter/check_mime.conf.custom

That way, you would be able to copy the first file with the .custom extension, edit it, and let it load a different check_attachment script where you can change the list of extensions.

I'll point this thread to John so he may clarify that.

Best regards
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,921
Not a bug. Those are ACL entries.
The first is for the SpamBlocker mime ACLs, if any.
It can be used to "accept" or "deny" based on things before the ESF check_mime.conf is called, which might deny it.

So if you want a custom list, for now, type:
Code:
cp /etc/exim.easy_spam_fighter/check_mime.conf /etc/exim.check_mime.conf.custom
echo "accept" >> /etc/exim.check_mime.conf.custom
Then you can edit the /etc/exim.check_mime.conf.custom and the ESF version won't be called at all, due to the trailing "accept"

This isn't the ideal though.

The above issue to add/remove more file types should would actually fall into a feature request to move the list into the ESF variables.conf, so there is no need to bypass it.

But until then / for now, do the above..

Or alternatively, you could just chattr +i your changes in the ESF check_mime.conf.

John
 
Top