Add option to block mail with zip files that contain supicious file e…#155
Conversation
|
I have this option running for a few days and it seems to be quite successful. I'm not sure what you feeling is about this function if we should implement this already in 2.3 or wait for 2.3.1 and if it should be enabled by default. |
|
i'd like to get his soon into the release. |
|
OK, I verified with a several TB large zip-bomb, this doesn't affect the server. So let's add this optional feature. |
|
i tried your implementation and just got a .wsf (included in an .zip) in my mailbox. unzip was not found in the path... |
|
what system are you using? |
|
debian jessie. but i used 7zip. so i installed unzip now :) |
|
i just got an email through this filter. maybe... anyways i would suggest to remove the from the message: |
|
Gmail does not log into your server when forwarding messages, and I'm not sure what other "logged in" systems you might be talking about here. Care to explain? |
|
I'd like to discuss the idea of this patch here a bit. I personally don't quite like this approach for a few reasons:
Regarding the second point: sadly, I've experienced lately that Clamav isn't as reliable as I thought it would be – it sometimes lets trojans through for weeks after they start circulating around. I've learned Clamav lacks manpower, so they're not to be blamed, but the bottom line is, this antivirus is likely less reliable than some other solutions. On the other hand, there are projects like extremeshok/clamav-unofficial-sigs, which provide unofficial signatures for Clamav, and might help lessen the gap. |
|
gmail is using 'my' server as a smarthost because it is sending 'from' an account of a domain of 'my' server. i now checked this and this is really the case. I agree with your statement @rimas-kudelis. It's just shifting the problem. about clamav: i already have seen provider which use 2 different virus scanners on every email. even the samba plugin of clamav is not maintaned/working anymore. per user setting: would be nice, but i'd like to have a non override policy too. i think for vexim 3.0 we should discuss more such features. |
|
Override policy just for this doesn't make sense. We should either allow locking settings for AV and SA as well, or not allow locking them at all. Regarding ClamAV, I'm currently testing third party signatures. Hoping to find something free and reliable... |
|
Hmm, I'm actually not very happy with this patch either but I don't see a good alternative. This summer I was hit by a large number of such fishing mails - some of them were very pretty good. The problem was, if you were hit by one of the first waves, there was no protection. Neither hash-sum checks of spamassassin (ixHash & others), they kicked in later, nor anti-virus software. On virustotal you could literally observer how fast anti-virus companies were reacting. How many legitimate *.exe files are still send in zip-files? Clearly, it doesn't solve the problem, however it does in some way. A company can send you an invoice via mail (usually not in a zip-file containing *.exe-files) or they ask you to login into the customer interface. You bank sending you a fishy invoice to be downloaded from dropbox?? In this PR #142 I had the idea that we enforce a valid DKIM signature from certain senders who never send user mails (problem with mailinglists) and which are subject to phishing very often (paypal, banks, or who have a Author Domain Signing Policy The problem was that some of these mails are signed with several dkim-signatures (when other sending mailservers were used, e.g via amazon/google). If we figure this out properly, we could at least prevent phishing mails from *@paypal.com. Unfortunately, the sender is often not visible, so users can be tricked by: Or as most of the spam is from hijacked residential accesses, we could implement greylisting only for these dynamic-looking ips (hostname: dialin-*, ...). Authenticated users can send without restrictions. |
…xtensions
Over the last weeks, there were a lot of spam mails with contagious attachments. Many were hidden in zip-files and if you don't want to block zip-attachments in general, you can block certain file-extensions of files within the zip archive. I implemented this solution:
http://www.gossamer-threads.com/lists/exim/users/98336#98336
It is turned off by default.