[SOLVED] Attachment blocking within .zip files?

[bsneddon]

Does Zimbra extend it's attachment blocking logic to include blocking those extensions even when they're zipped first? A lot of malware comes within an unencrypted zip file and by simply blocking .exe most if it can be blocked even before ClamAV is updated. .zip files with .exe files inside seem to be making it through my server even with .exe set to be blocked.

Thanks.
Brian

[area]

No, it doesn't as far as I can tell.

Also see this post which refers to this RFE/bug.

I've been researching this over the last few days as it major issues for several Zimbra sites which I administer.

The attachment blocking is part of the Postfix header checks - see /opt/zimbra/conf/postfix_header_checks
================================================== =============================================
/filename=\"?(.*)\.(bat|cmd|com|exe|pif|scr)\"?$/
REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\.(bat|cmd|com |exe|pif|scr))"?\s*$/
REJECT Attachment type not allowed. File "$2" has the unacceptable extension "$3"
================================================== =============================================

I've been looking into modifying the Amavis configuration file to detect .exe files within .zip files but I haven't had a chance to do this yet.

In the file /opt/zimbra/conf/amavisd.conf.in, there is this section which has every test commented out:

$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components

# block certain double extensions anywhere in the base name
#qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extensions - CLSID

# qr'^application/x-msdownload$'i, # block these MIME types
# qr'^application/x-msdos-program$'i,
# qr'^application/hta$'i,

# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME
# qr'^\.wmf$', # Windows Metafile file(1) type

# qr'^message/partial$'i, # rfc2046 MIME type
# qr'^message/external-body$'i, # rfc2046 MIME type

# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives

#qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf |exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc |msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.

#qr'^\.(exe-ms)$', # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
);

I was going to try uncommenting some of these tests.

Anyone from Zimbra care to comment about the workings of Amavis and whether this will work?

Angus

[bsneddon]

Until an official method for extending blocking to inside attachments is supported, I just uncommented one of the blocks in /opt/zimbra/conf/amavisd.conf.in for $banned_filename_re:
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

This lets the normal Zimbra attachment blocking work while also using the blocking in amavisd-new (which DOES support blocking files inside of archives) to specifically ban those above extensions within archives. I tried sending the very same emails that were sneaking through and the logs show it being blocked now specifically due to the embedded .exe.

I also added:
$final_banned_destiny = D_DISCARD;

To prevent backscatter since the default in amavisd-new is D_BOUNCE.

[bubarooni]

Is there an official method for this now?

I'm running 5.0.5 GA Network Edition on Redhat 5 and am starting to have this issue where zipped executables come thru and wreak havoc on users workstations.

[bsneddon]

ZCS 6 extends the attachment blocking to within zipped files if that's an option for you. I don't think you'll ever see an official method within ZCS 5 since it's in 6 now. I was using that unofficial method I found for about a year and it worked great for me except that I had to make sure to modify amavisd.conf.in each time I upgraded ZCS.

[bubarooni]

Well, I'm actually looking at doing an upgrade now so that may be the best route.

Looking for an upgrade guide now.