LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   sieve filter on pigeonhole to remove exe attached emails doesn't work (https://www.linuxquestions.org/questions/linux-server-73/sieve-filter-on-pigeonhole-to-remove-exe-attached-emails-doesnt-work-4175493036/)

timsoft 01-29-2014 04:09 PM
sieve filter on pigeonhole to remove exe attached emails doesn't work
 
hi all, I am running slackware 14.1 32bit with dovecot and pigeonhole installed from sbopkg.
Problem: I am trying to filter emails with attachments that are exe or zip files into junk.
what has been done: I have looked at http://www.emaildiscussions.com/show...522#post238522 which suggests
Code:
header :contains "X-Attached" [".zip", ".exe"]
but it doesn't touch my test emails. Looking at the email source from thunderbird shows no X-Attached lines, so I added
Code:
header :contains ["Content-Type","name","filename"]
      ["application/x-zip-compressed",".zip",".exe"]
to the script, but mail with zip attachments still goes into inbox. I know the rest of the script is ok as other mail is filtered ok.
does anyone have any clues how to filter by content-type in multi-mime messages.
an example message fragment that should match is:
Code:
Subject: testa1
Content-Type: multipart/mixed;
 boundary="------------020304040002050407030900"

This is a multi-part message in MIME format.
--------------020304040002050407030900
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

this has a compressed file added a1


--------------020304040002050407030900
Content-Type: application/x-zip-compressed;
 name="pinglog.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="pinglog.zip"
thanks

Berhanie 01-31-2014 02:05 AM
seems to me you're not using the correct syntax for mime-header matching. i would start by reading this RFC.

timsoft 01-31-2014 02:20 AM
Unfortunately, pigeonhole does not appear to have the mime extension. I have already checked the rfc5703, as like you say, it should do the trick happily, but it is not available for pigeonhole AFAIK, which means I need some other way of doing it.

I'm happy to be corrected if I am mistaken, but looking at http://pigeonhole.dovecot.org/index.html would seem to indicate that support may arrive eventually, but is not currently available. any alternative solution would be helpful, as the spammers sending malware as zip and exe (and scr and pif) attachments aren't waiting :-)

(I have put a request for rfc5703 support on the dovecot mailing list, as it would make things much simpler if it was implimented)

Berhanie 01-31-2014 05:44 AM
you're right. the dovecot site says the extension "will be added as soon as the necessary infrastructure is available".
regarding the syntax, i think the test should be "header :mime ..." in order to match a mime header.

Quote:
any alternative solution would be helpful, as the spammers sending malware as zip and exe (and scr and pif) attachments aren't waiting :-)
use rbls and content scanners (e.g. clamav for malware).
you could use something like postfix's check_mime_headers to block / hold mail in the meantime.

timsoft 01-31-2014 11:55 AM
thanks for the suggestions berhanie. I will be attempting to use something like clamav or spamassasin eventually.
Until the mime support gets added, the following catches zip and scr attachements

Quote:
body :raw :contains ["application/x-zip-compressed","application/x-silverlight"]
however, catching exe and pif attachments is harder.

I have tried
Quote:
body :raw :regex ["filename=*.exe","filename=*.pif","filename=*.scr","filename=*.zip"]
and alternatively
Quote:
body :raw :regex ["filename\=*.exe","filename\=*.pif","filename\=*.scr","filename\=*.zip"]
but neither work.

motomoto 02-02-2014 06:56 PM
Quote:
Originally Posted by Berhanie (Post 5108533)
seems to me you're not using the correct syntax for mime-header matching. i would start by reading this RFC.
Are you american, bro?

Berhanie 02-04-2014 07:32 PM
Hi, timsoft. rfc 5173 mentions a :content keyword which is designed to match MIME content-type. It may better to use that than :raw. The .exe may fall under application/octet-stream, but so would other types of files. Regarding the regexp, what you were after was "filename=.*\.exe".

timsoft 02-05-2014 04:43 AM
many thanks. I have looked at :content but, like you say, it doesn't help with exe ( or with pif) because there are so many file extensions that use the same content-type

for others looking at this thread,

body :raw :regex ["filename=.*\.exe","filename=.*\.pif","filename=.*\.scr","filename=.*\.zip"]

works (for those using sieve without a :mime implementation)


All times are GMT -5. The time now is 10:53 PM.