Easy Spam Fighter 1.11

[DirectAdmin Support]

Hello,

I've released Easy Spam Fighter 1.11.
This release has added support for default file extension blocking, and has the ability to extract and scan a zip file for any malicious extensions.
Main new file is here:
http://files.directadmin.com/services/easy_spam_fighter/1.11/check_mime.conf

with the zip scanning script here:
http://files.directadmin.com/services/easy_spam_fighter/1.11/exim_check_attachment.sh

This change requires the new exim.conf SpamBlocker 4.4.3 or newer.

Default extensions that are blocked:

.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs|\.cpl

and the zip scan will block zips with:

bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip|js

which may need to be tweaked depending on the consensus.

Note that the mime type blocks are smtp-time blocks, so if an email is rejected, the sender should be notified, so adjustments can be made to the payload, or to the scripts.

John

 

[SeLLeRoNe]

Can you also add a script to check tar/tar.gz? It should be quite easy to create new ones for different format from the original one.
Can the extension be customized on a separate file?

Regards

 

[Richard G]

I think you made a typo or another archiver is missing:

and the zip scan will block zips with:
Code:

bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|zip|js

Excluding .zip from a zipfile??? Why? If you would start blocking archives, it's best to also have .rar in this list because that's used a lot also.
However, if you block archives in archives by default, you also block any way for customers to still be able to send for example .exe files to other people, which is not good.
Arhives in archives are indeed a possibility for infection, but also -the- way to still being able to send stuff which is normally blocked.
So I would suggest not to have .zip included in here, or otherwise add .rar to it.
There are still several zipfiles spread with legal .msi files inside or .exe files (executables or self extracting .exe files).

 

[Sahi]

I have some spam issues and just updated ESF and exim.conf, but there are still .zip files coming into the mailbox.

 

[DirectAdmin Support]

.zip files are allowed, but are scanned only if you have the unzip program.
The is the file that checks the contents of the zip file:
http://files.directadmin.com/services/easy_spam_fighter/1.11/exim_check_attachment.sh

Do you have this file?

/usr/bin/unzip

John

 

[ikkeben]

Due to DMARC spam reports the zip extension Google uses a .com

google.com!filename.zip

So a howto needed for this?

 

[Sahi]

Do you have this file?

/usr/bin/unzip

John

Yes, i have the unzip file. I don't know what file is in the zip. Don't know if i can open it safely.

The other problem i have is that the email that is coming the IP in is op a RBL list. But the mail isn't rejected. What can i do about this?

 

[Vaporizer]

I noticed that the spam reject message was also changed in this version but it is not working properly:

Your message to $local_part@$domain was classified as SPAM.  Please add more content...

The local_part and domain expansions are not available here. This should be changed to something like the following:

Your message to <$recipients> was classified as SPAM. Please add more content...

 

[mmaxx]

Im using this, have unzip installed, sent known zip files with live .js locky in them but it went straight through the filter...
Is it because I am authenticated?

M

 

[mmaxx]

Also while the advertisement here claims .js support the actual .sh file does not include .js extension as bannned inside zip.....

 

[mmaxx]

shebang was also faulty (only matters for debugging)
Added logging of scans


#!/bin/sh

echo "In Zip check for message ID" ${1}>>/var/log/exim/zipcheck.log
if [ "${1}" != "zip" ]; then
echo "$0: we can only scan zip files";
exit 0
fi

UNZIP=/usr/bin/unzip

P=/var/spool/exim/scan/${2}
Z=${D}/${3}

cd "${P}"

if [ ! -s $Z ]; then
exit 0;
fi

if [ $( ${UNZIP} -l "${Z}" | \
tail -n +4 |head -n -2 | \
egrep -i '[.](bat|btm|cmd|com|cpl|dat|dll|js|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url)$' | \
wc -l ) -gt 0 ]
then
echo "Found banned extension in zip file" "${1}">>/var/log/exim/zipcheck.log
exit 1
fi

exit 0

 

[ItsOnlyMe]

Hi,

I was wondering if there is a way to have ESF SKIP the spf check if spamassassin has been disabled? or completely skip the ESF checks since i have a lot of users that use a external spamfilter which don't get past the SPF check since the external spamfilter becomes the sender of that mail what results in a SPF that is not correct.

Its not a option to disable this completely on the server since there are also users that do not have external mail filtering.

 

[SeLLeRoNe]

Not sure if that may help, but you may want to whitelist the IP's of the external mail filters in /etc/virtual/whitelist_hosts_ip

Best regards

 

[ItsOnlyMe]

Thanks SeLLeRoNe for your reply.

I have been thinking of doing that, but there is one thing. We manage a lot of servers so it would be time consuming to make sure IP's are added to the whitelist. Also a lot of customers use different company's to filter their mail.

We did whitelisted our own spamexperts servers in that file but can not do this for all the other hosts that filter mail and send them to our servers.

I have been trying to edit the ACL in order to check if the following file exists, if so it needs to set the "acl_m_esf_skip" to 1 and add a header that it skipped the checks. So far i am unable to manage to get this working in the correct way.

/home/|USER|/.spamassassin/user_pref

I try'd a lot of diffrent ways to get this working what i have now is:

accept
        condition = ${if exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}{no}{yes}}
        set acl_m_esf_skip = 1
        logwrite = $sender_address skipped extra spamchecks $domain disabled spamassassin.
        add_header = SPFSpamassassinCheck: Skipped, spamassassin disabled.

When mailing it adds this in the logs:

2016-11-04 14:52:53 [11572] SMTP connection from [188.166.62.193]:52686 I=[88.159.17.150]:25 (TCP/IP connection count = 1)
2016-11-04 14:52:54 [11633] [email protected] skipped extra spamchecks  disabled spamassassin.
2016-11-04 14:52:54 [11633] DNS list lookup defer (probably timeout) for 193.62.166.188.list.dnswl.org: assumed not in list
2016-11-04 14:52:56 [11633] 1c2evQ-00031d-U1 DKIM: d=xxx.nl s=x c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2016-11-04 14:53:00 [11633] 1c2evQ-00031d-U1 ESF evalutation skipped. Score: -36
2016-11-04 14:53:00 [11633] 1c2evQ-00031d-U1 <= [email protected] H=smarthost.xxx.nl [188.166.62.193]:52686 I=[88.159.17.150]:25 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=7587 M8S=0 [email protected] T="32" from <[email protected]> for [email protected]
2016-11-04 14:53:00 [11634] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c2evQ-00031d-U1
2016-11-04 14:53:00 [11633] SMTP connection from smarthost.xxx.nl [188.166.62.193]:52686 I=[88.159.17.150]:25 closed by QUIT
2016-11-04 14:53:00 [11634] 1c2evQ-00031d-U1 => yyy <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=7866 C="250 2.0.0 <[email protected]> ZOfDJLySHFg4agAAc2rQkA Saved" QT=4s DT=0s
2016-11-04 14:53:00 [11634] 1c2evQ-00031d-U1 Completed QT=4s

It add this while spamassassin is enabled. If i disable it it does the same.

kind regards,

 

[SeLLeRoNe]

Honestly i've no idea how to customize exim.conf and i woouldn't suggest it.

Disable SPF check is quite easy, you just need to set
EASY_SPF_SOFT_FAIL = 0
EASY_SPF_FAIL = 0

In /etc/exim.easy_spam_fighter/variables.conf

But this will actually disable the check for all, true is, if SpamAssassin is already checking the SPF, maybe this should be a working solution.

I would highly recommend you to contact DA Staff for a FR request, maybe they can edit the default exim.conf with a check with an additional variables, something like:
SKIP_ESF_IF_NO_SPAMASSASSIN=1

Best regards

 

[ItsOnlyMe]

Thanks,

Might be the best thing to do yes.

Kind regards,

 

[johannes]

2 questions:

x) will the "exim_check_attachment.sh" becoming overwritten with new updates or is it somehow possible to export the list of blocked attachments in a .conf.custom as its done with exim variables and strings?
x) the "check_mime.conf" is blocking on default extensions - i am not sure yet but wasnt there another file where extension blocking was possible (sorry if i remember wrong)?
thanks
kind regards

 

[SeLLeRoNe]

exim.conf is reading those two files:
.include_if_exists /etc/exim.check_mime.conf.custom
.include_if_exists /etc/exim.easy_spam_fighter/check_mime.conf

Maybe John would need to clarify, i think the custom one should be loaded after, and maybe from the same ESF folder, something like:
.include_if_exists /etc/exim.easy_spam_fighter/check_mime.conf
.include_if_exists /etc/exim.easy_spam_fighter/check_mime.conf.custom

That way, you would be able to copy the first file with the .custom extension, edit it, and let it load a different check_attachment script where you can change the list of extensions.

I'll point this thread to John so he may clarify that.

Best regards

 

[DirectAdmin Support]

Not a bug. Those are ACL entries.
The first is for the SpamBlocker mime ACLs, if any.
It can be used to "accept" or "deny" based on things before the ESF check_mime.conf is called, which might deny it.

So if you want a custom list, for now, type:

cp /etc/exim.easy_spam_fighter/check_mime.conf /etc/exim.check_mime.conf.custom
echo "accept" >> /etc/exim.check_mime.conf.custom

Then you can edit the /etc/exim.check_mime.conf.custom and the ESF version won't be called at all, due to the trailing "accept"

This isn't the ideal though.

The above issue to add/remove more file types should would actually fall into a feature request to move the list into the ESF variables.conf, so there is no need to bypass it.

But until then / for now, do the above..

Or alternatively, you could just chattr +i your changes in the ESF check_mime.conf.

John

 

[johannes]

Thank you very much, John! And thanks to Andrea too!