# Postfix - Header Check to Block Executable Files



## Ruler2112 (Feb 16, 2010)

My users have been getting more phishing e-mails lately and I've decided to implement some additional restrictions to block the majority of this crap from reaching them.  (I'm already using several layers of spam-blocking techniques, though no true spam filter.  For the past few weeks, I've been blacklisting IPs, almost exclusively from asian countries, that try to hack into my server via brute-force methods - this has also reduced the amount of crap we get as well, proving that the same people trying to guess passwords are also a source of spam.  Not that this has much to do with the trouble I've encountered... just found it to be an interesting factoid.)  Most of these restrictions will be in the form of body checks, looking for URLs that match those that we have already received.  I know this is a reactive measure, meaning that I must receive a bad message in order to block similar ones in the future, but I've had bad experiences with spam filters generating false positives in the past and want to avoid this at all costs.  I set up a special account for people to forward fakes to so that I can update the filters regularly.

I'm trying to configure Postfix to block any messages that have an executable attachment with a header check.  Currently, I have two rules implemented that I found online that are supposed to achieve this effect, but neither seems to work as I'm still able to send a message with an EXE attached.  (This message is then bounced back to the sender by amavisd, but I'd really like to eliminate the bounce and just prevent the message from being accepted to begin with.)

I verified that the header checks are working by adding a rule to bounce a message with 'Please bounce this message' as the subject.  My guess right now is that the regular expressions that determine the attachment name are not registering a hit with the message I sent.

Relevant lines from postconf -n:

```
header_checks = regexp:/usr/local/etc/postfix/header_checks
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
```

header_checks:

```
/^Date: .* 19[0-9][0-9]/ REJECT Please update your computer clock and try again.  SHC01
/^Date: .* 200[0-9]/     REJECT Please update your computer clock and try again.  SHC02

/^Subject: Please bounce this message/ REJECT Rule working... SHC42

/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|<bunch more here>|ex[_e]|<bunch more>|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed.  SHC03

/name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT We do not allow files of type "$3" because of security concerns - "$2" caused the block.  SHC03

/^Bel-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC04
/^Hel-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC05
/^Kel-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC06
/^BIC-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC07
/^Lid-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC08

/^X-Mailer: 0001/                    REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC09
/^X-Mailer: Avalanche/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC10
/^X-Mailer: Crescent Internet Tool/  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC11
/^X-Mailer: DiffondiCool/            REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC12
/^X-Mailer: E-Mail Delivery Agent/   REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC13
/^X-Mailer: Emailer Platinum/        REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC14
/^X-Mailer: Entity/                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC15
/^X-Mailer: Extractor/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC16
/^X-Mailer: Floodgate/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC17
/^X-Mailer: GOTO Software Sarbacane/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC18
/^X-Mailer: MailWorkz/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC19
/^X-Mailer: MassE-Mail/              REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC20
/^X-Mailer: MaxBulk.Mailer/          REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC21
/^X-Mailer: News Breaker Pro/        REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC22
/^X-Mailer: SmartMailer/             REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC23
/^X-Mailer: StormPort/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC24
/^X-Mailer: SuperMail-2/             REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC25
```

mime_header_checks:

```
/^name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block.  SHC03
/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|<bunch more here>|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed
```

The source of one of the messages I sent with an EXE attached:

```
From - Tue Feb 16 16:31:31 2010
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
Message-ID: <4B7B0EAC.2090001@mydomain.com>
Date: Tue, 16 Feb 2010 16:31:24 -0500
From: Me <myaddress@mydomain.com>
User-Agent: Thunderbird 1.5.0.9 (X11/20061206)
MIME-Version: 1.0
To: Me Two <mysecondaryaddress@mydomain.com>
Subject: Test 6
Content-Type: multipart/mixed;
 boundary="------------030903020106050306070302"

This is a multi-part message in MIME format.
--------------030903020106050306070302
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

EXE attached


--------------030903020106050306070302
Content-Type: application/octet-stream;
 name="vncviewer.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="vncviewer.exe"

TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAIAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5k
ZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<continued>
```


Can anybody see where I've screwed up?  I admit that I don't entirely understand regular expressions and basically cut & pasted the samples I've found.  I can decipher some of what's going on, but don't know the full syntax.

Also, given that it's missing the attachment that Thunderbird is sending and on the assumption that these rules DO work when other clients send attachments, is this even something that can be done effectively?


----------



## SirDice (Feb 17, 2010)

Don't trust either the extension or the mime-type. Both are easily faked. If you really want to block executables you will need to use a content scanner that's able to look at the file itself.


----------



## DutchDaemon (Feb 17, 2010)

Try MailScanner from ports (mail/mailscanner). It's full of goodies for this purpose, and you can plug SpamAssassin and virus scanners into it using a central configuration file (see http://mailscanner.info).


----------



## Ruler2112 (Feb 17, 2010)

Thanks for the info guys.

SirDice - amavisd currently looks at the content and blocks executable attachments, so I'm not too worried about that.  (This actually caught me last summer - my boss had an MP3 e-mailed to her and amavisd thought it was executable and blocked it as an application.  I never did figure that one out...)  I'd like to get this set up, both to provide an extra layer of security and so that I can block the majority of it from being accepted in the first place, thereby saving it from being scanned.

DD - I'll check out mailscanner, though I don't know if I'll put it in place.  (This is a live system, so I don't want to make any major changes for fear I'll break something.  Not that I've EVER messed up a system beyond repair before...  )


----------



## SirDice (Feb 17, 2010)

Ruler2112 said:
			
		

> This actually caught me last summer - my boss had an MP3 e-mailed to her and amavisd thought it was executable and blocked it as an application.  I never did figure that one out...


Hmm.. Do you still have that file? It might be a renamed .wma file. The only difference is that a real WMA file can contain active content (javascript, vbscript i.e.) and a real MP3 not. Windows media player will happily open this renamed wma file and play whatever is in there. Including the active content. That's why it may have been flagged as an executable. 



> I'd like to get this set up, both to provide an extra layer of security and so that I can block the majority of it from being accepted in the first place, thereby saving it from being scanned.


Perfect. As long as you never trust an extension or mime-type


----------



## Ruler2112 (Feb 17, 2010)

SirDice said:
			
		

> Hmm.. Do you still have that file?



Sorry - I do not.  That's a very good thought though.  If it happens again, I'll have to open it in a hex editor and see if it's a real MP3 or not.



			
				SirDice said:
			
		

> Perfect. As long as you never trust an extension or mime-type



It's not perfect because I can send EXEs and the header checks don't catch it!


----------



## Ruler2112 (Feb 19, 2010)

I worked out the problem in my rule set.  The following now works as I expected them to, blocking files with the listed extensions outright during the SMTP conversation.  If an attachment makes it through this series of checks, amavisd scans the message and if executable content is found, bounces the message back to the sender.  Remaining messages are scanned with clamav before being delivered to the user.  The header_checks, specifically the date screening, have also cut down on the amount of spam already.    I'm also developing a set of body_checks, specifically intended to screen out phishing messages.  (Seems like a good share of them share certain similar characteristics, which I should be able to filter without risking false positives.)

mime_header_checks:

```
/name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT We do not allow files of type "$1" because of security concerns.  MHC01
/name=[^>]*your_details.zip/ REJECT Mail filters have determined that your email appears to be infected with the Sobig virus.  MHC02
/^\s*Content-(Disposition|Type).*name\s*=\s*"?((Attach|Information|TextDocument|Readme|Msg|Msginfo|Document|Info|Attachedfile|Attacheddocument|TextDocument|Text|TextFile|Letter|MoreInfo|Message)\.zip)"?\s*$/ REJECT Mail filters have determined that your email appears to be infected with the Bagle virus.  MHC03
/^\s*Content-(Disposition|Type).*name\s*=\s*"?((Patch|MS-Security|MS-UD|UpDate|sys-patch|MS-Q).*\.zip)"?\s*$/ REJECT Mail filters have determined that your email appears to be infected with the Sober virus.  MHC04
/^\s*Content-(Disposition|Type).*name\s*=\s*"?((doc_word3_|document_all_|part01_|product_|letter_|information_|document_|details_|screensaver_|website_|data_|text_|file_|prod_info_).*\.zip)"?\s*$/ REJECT Mail filters have determined that your email appears to be infected with the Netsky virus.  MHC05
```

header_checks:

```
/^Date: .* 19[0-9][0-9]/ REJECT Please update your computer clock and try again.  SHC01
/^Date: .* 200[0-9]/     REJECT Please update your computer clock and try again.  SHC02

/^Bel-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC03
/^Hel-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC04
/^Kel-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC05
/^BIC-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC06
/^Lid-Tracking: .*/ REJECT Confirmed spam header found- go away.  SHC07

/^X-Mailer: 0001/                    REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC08
/^X-Mailer: Avalanche/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC09
/^X-Mailer: Crescent Internet Tool/  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC10
/^X-Mailer: DiffondiCool/            REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC11
/^X-Mailer: E-Mail Delivery Agent/   REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC12
/^X-Mailer: Emailer Platinum/        REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC13
/^X-Mailer: Entity/                  REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC14
/^X-Mailer: Extractor/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC15
/^X-Mailer: Floodgate/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC16
/^X-Mailer: GOTO Software Sarbacane/ REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC17
/^X-Mailer: MailWorkz/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC18
/^X-Mailer: MassE-Mail/              REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC19
/^X-Mailer: MaxBulk.Mailer/          REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC20
/^X-Mailer: News Breaker Pro/        REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC21
/^X-Mailer: SmartMailer/             REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC22
/^X-Mailer: StormPort/               REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC23
/^X-Mailer: SuperMail-2/             REJECT You used an email program that is used almost exclusively for spam. We do not accept email sent using this program.  SHC24
```
I do have one further question.  Is it possible in a regular expression (or pcre) to have a compound match?  For instance, quite a few PayPal phishing messages have 'Wayne E Bakewell' as the person you 'paid' (when you did no such thing), living at '16 elm st' in 'Brownsville, PA 15417'.  (Google for the name and you'll get sample messages.)  Further down is a link to 'dispute' or 'cancel' the transaction, which takes you to a PayPal look-alike page.  The link appears to be semi-random though, so that's not a good thing to screen on.  I was thinking that the name & address would be effective.  However, all of these are on different lines of the body.  I don't want to block messages with any one of these criteria, but instead messages that have all three of them.


----------



## Ruler2112 (Feb 22, 2010)

In case anybody thinks of using the above patterns, I found a flaw.  It turns out that some people use v-cards as their signature, which is a type of attachment.  The name of one of them is [email='user@blah.com.vcf]'user@blah.com.vcf[/email]'.  The above regex blocked it because '.com' is in the file name.  I'm currently looking at regular expression pages, learning more about how they work, and will post back if/when I find a solution.  For now, I just removed com from the first line of the mime_header_checks to prevent this.


----------

