Virus:Email Attachment Blocking
- 1 Email Attachments Virus & Executable content blocking
- 1.1 Problem
- 1.2 Solution
- 1.3 Additional Information
- 1.4 Enabling Pattern Matching
- 1.5 Analyzing and creating patterns
- 1.6 Determining file pattern, signature or magic
- 1.7 Enabling or disabling patterns
- 1.8 Checking logs
- 1.9 Web sites for background information
- 1.10 Prior version of this Howto for sme6.x
Email Attachments Virus & Executable content blocking
The functionality to block possible executable and virus files attached to emails has been incorporated into SME Server v7.x. See the Email panel in server manager.
Your SME Server receives a lot of email with virus infected attachments and you want to reject it before it enters your server's mail system. You want to block email with certain types of file attachments to improve security of your server or reduce bandwidth use caused by unwanted or undesired large multimedia files. Current methods typically use Anti Virus detection software, which are processor & memory intensive.
This functionality allows incoming and outgoing messages to be rejected if the attached file has executable content, which matches specific file type patterns. A default pattern matching database is created with common executable file patterns, which cover the majority of currently known Windows type executable viruses. Patterns can be created for any file types to allow multimedia or other attachments to be rejected where the system management policy considers it appropriate.
Email messages are rejected if the attachment content matches an entry in the patterns database. By default this includes the majority of *.exe files, older v1.0 *.zip files and some *.gif files. This blocking applies to both incoming and outgoing smtp email messages, including the local network, in order to stop virus propagation. If these file types need to be sent using email, they should be compressed using WinZip (v2.0 format) or WinRAR or other suitable compression software, or alternatively shared on the local network use file sharing. Note that recent releases of compression software use the v2.0 zip format.
Messages with attachments that match the patterns database are rejected by the mail system, and as a result there is no further processing. In practice a large number of virus infected messages will be rejected, perhaps 95 % or more, depending on the type of virus infections you receive and your system exposure (email addresses).
In conjunction with Real-time Blackhole List (RBL) blocking of spam messages you can expect the reduction in virus detections by ClamAV is from typically hundreds per month to one message per month. The use of RBL list spam blocking also helps reduce virus infected email messages entering the server, probably due to the fact that some virus infected messages come from similar sources as spam messages.
This method works for servers configured as either Server & Gateway or Server Only as long as the mail server components are enabled (qpsmtp & qmail) and the server has access to the Internet via another SME Server or firewall.
Pattern matching acts as a "gross filter" to reject many known virus types, but a regularly updated virus scanner is still required to catch new viruses. Once these new executable content viruses have been analysed, additional patterns can be created and added to the patterns database as required. It is envisaged that new patterns would be added infrequently.
This pattern matching feature should be used in conjunction with virus scanning software and spam filtering software, although these programs will have a lot less work to do. Pattern blocking should be compatible with other brands of virus & spam software based programs. They generally scan or filter the message after it has been accepted by the servers mail system. Pattern blocking occurs before the message is accepted, and if a matching occurs the message is rejected so it would never be scanned by secondary software based systems. Incompatibilities are therefore unlikely.
Additional patterns can be added to the database after install is completed. Also see separate section below for information on analysing, creating & adding patterns.
An additional feature recommended to implement is RBL List blocking using qpsmtp, to reject spam messages from senders that are included on RBL lists. This technique will dramatically reduce the amount of spam entering the server. You should also consider the additional Spam Blocking measures generally
Enabling Pattern Matching
There is a menu box in the server manager Email panel which allows executable content blocking to be enabled or disabled. It is disabled by default. Use "Ctrl click" to highlight or un-highlight the various groups of file types, and then click the Save button to enable/disable pattern matching.
Analyzing and creating patterns
Common file patterns (or signatures or magic)
The standard patterns enabled by default are:
Windows executables seen in active viruses
Additional Windows executable signatures not yet seen in viruses
ZIP file signature seen in SoBig.E and mydoom
- UEsDBAoAA (this pattern is blocked - zip v1.0 format)
- UEsDBBQAA (this pattern is NOT blocked by default - zip v2.0 format
GIF file found in a previous Microsoft virus
A recent pattern identified for the Worm.SomeFool.P virus
(Identified as MS-DOS executable)
Extra patterns not included in the default database that may be enabled if required for blocking of multimedia files etc (long & short versions listed)
SCR screen saver files - MS-DOS executable (EXE)
- Example: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- Pattern: TVqQAAMAAA
PIF1 - data
- Example: AHhUYXggMTk5OCAgICAgICAgICAgICAgICAgICAgICCAAgAAWTpcSFNPRlRcSFQ5OFxIVDk4LkVY
- Pattern: AHhUYXgg
PIF2 - data
- Example: AMlIbDk5LmV4ZSAgICAgICAgICAgICAgICAgICAgICCAAIAAVDpccHJpdmF0ZVxIc29mdFxITFxI
- Pattern: AMlIbDk5Lm
PIF3 - data
- Example: AHhIYW5kaVJlZ2lzdGVyIDIwMDAgICAgICAgICAgICCAAgAAWTpcSHNvZnRcSFJcSFIwMC5FWEUA
- Pattern: AHhIYW5k
WAV sound file - data
- Example: UklGRiRwLgBXQVZFZm10IBAAAAABAAIAgLsAAADuAgAEABAAZGF0YQBwLgAAAAAAAAAAAAAAAAAA
- Pattern: Uk1GRiRwL
JPEG image data, JFIF standard 0.00, aspect ratio, 0 x 0
- Example: /9j/4AAQSkZJRgABAgEBLAEsAAD/7RLSUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABABLAAAAAEA
- Pattern: /9j/4AAQSkZJRg
TIF - TIFF image data, little-endian
- Example: SUkqAAgAAAAQAP4ABAABAAAAAAAAAAABAwABAAAAJgMAAAEBAwABAAAAQAUAAAIBAwADAAAAzgAA
- Pattern: SUkqAAgAAAA
PPT powerpoint presentation -Microsoft Office Document
- Example: 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAADEAwAAIRgBAAAAAAAA
- Pattern: 0M8R4KGxGuEA
WMV Windows Media Player video file - Microsoft ASF
- Example: MCaydY5mzxGm2QCqAGLObH8PAAAAAAAACwAAAAECodyrjEepzxGO5ADADCBTZWgAAAAAAAAAeeIB
- Pattern: MCaydY5mzxGm
MPG mpeg1 video file - MPEG system stream data
- Example: AAABuiEAAQAHgCgdAAABuwAMgCgdBeH/4OAuwMAgAAAB4AfcYC4xAAGMUREAAXAxAAABsxYBIIME
- Pattern: AAABuiEAAQAHg
M2P mpeg2 video file - MPEG system stream data
- Example: AAABukQABAAGBQFG//gAAAG7AAyAo38F4X/g4OfAwCAAAAHgB9qAwQ0xAAG2QxEAAZojHmDnAAAB
- Pattern: AAABukQABAAGB
AVI video file - RIFF (little-endian) data
- Example: UklGRpC0qQBBVkkgTElTVDYBAABoZHJsYXZpaDgAAABAnAAA5MJnAAAAAAAQAAEAWggAAAAAAAAC
- Pattern: UklGRpC0qQBB
Determining file pattern, signature or magic
To find out what the pattern or signature or magic for a file is, it needs to be run through a base64 encoding routine and the appropriate strings determined from the first line of the output. That is, for "sane" files which have "magic" numbers at the start. The file can also be decoded to find out what type of it is. Published file specifications (where available) could also be referred to.
Copy a file to a folder on SME Server, say filename.zip
At the command prompt do
perl -MMIME::Base64 -0777 -ne 'print encode_base64($_)' <filename.zip | head -1
This gives an output of
A suitable substring needs to be picked to use as the pattern for this file type, for example:
The pattern string needs to be long enough to avoid "false positives" and short enough to catch all of that file type. Running the above command across a few files of a particular type will usually clearly show the appropriate substring.
To find out the file type details
echo 'UEsDBAoAA' | perl -MMIME::Base64 -0777 -ne 'print decode_base64($_)' >/tmp/17.exe
then run "file" on the result
the output is
/tmp/17.exe: Zip archive data, at least v1.0 to extract
which identifies the type of file
An alternative way of identifying the file pattern or signature for users of Clamavis-ng is to view the quarantined messages in /var/spool/amavis-ng/quarantine
Here is an extract from a quarantined infected message that mimics a zip file
File: 406a8bee~aad.msg Col 0 30787 bytes ----------mtohkeqkmfnipbfntepj Content-Type: application/octet-stream; name="AttachedFile.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="AttachedFile.zip"
So to create a new pattern for this message use
which is the pattern corresponding to ZIPV1 file type
UEsDBAoAA: Zip archive data, at least v1.0 to extract
Enabling or disabling patterns
Mailpatterns DB File
The definitions and patterns etc for the various file types are stored in the SME Server configuration database file mailpatterns. The property fields in the database for each defined file type are:
- pattern key - the type of the entry in the database (currently only the "pattern" type is used)
- Body - the substring to match
- Description - free format text to describe this pattern. This text will be used to display a menu of patterns to enable/disable in a later version
- Glob - whether to apply a wildcard match after the pattern
- LineStart - whether to only match this pattern at the start of the line
- Status - whether this pattern is currently enabled (i.e. blocked)
In general, to add a pattern to the database for a file with pattern <Signature> and file type <XYZ>, and enable it
/sbin/e-smith/db mailpatterns set <Signature> pattern Body <Signature> Description "<XYZ> file <Signature>)" Glob yes LineStart yes Status enabled signal-event email-update
To disable the pattern do:
/sbin/e-smith/db mailpatterns setprop <FILETYPE> Status disabled signal-event email-update
Some specific examples follow.
Executable Type Files
To add a pattern to the existing Executable type files (which should be done if new patterns are discovered for common new MSDOS Executable type viruses)
A pattern analysed from an email message received is
To add this to the db entries and enable it do:
/sbin/e-smith/db mailpatterns set TVoAAD8AA pattern Body TVoAAD8AA Description "PC executables (TVoAAD8AA)" Glob yes LineStart yes Status enabled signal-event email-update
To check the entry is correct do:
/sbin/e-smith/db mailpatterns show TVoAAD8AA
which gives an output of
TVoAAD8AA=pattern Body=TVoAAD8AA Description=PC executables (TVoAAD8AA) Glob=yes LineStart=yes Status=enabled
PIF2 Type Files
To enable the pattern for PIF2 type files (which should be done to block some PIF attachments)
A pattern being tested for this file type is
To add this to the db entries and enable it do:
/sbin/e-smith/db mailpatterns set AMlIbDk5Lm pattern Body AMlIbDk5Lm Description "PIF2 file (AMlIbDk5Lm)" Glob yes LineStart yes Status enabled signal-event email-update
To check the entry is correct do:
/sbin/e-smith/db mailpatterns show PIF2
which gives an output of
AMlIbDk5Lm=pattern Body=AMlIbDk5Lm Description=PIF2 file (AMlIbDk5Lm) Glob=yes LineStart=yes Status=enabled
Modifying the default database
An alternative approach is to modify the default patterns loaded in the configuration database.
initialize-default-databases loads the db with fragments from /etc/e-smith/db. When new patterns are added to the master rpm, new fragments are also added.
Taking the PIF2 example above, to add a pattern to the default set do:
mkdir -p /etc/e-smith/db/mailpatterns/defaults/AMlIbDk5Lm/
and in that directory, create the following files with content shown:
type pattern Body AMlIbDk5Lm Description PIF2 file (AMlIbDk5Lm) Glob yes Status enabled
which will load the default settings
To show all the patterns in the mailpatterns database & their status (enabled or disabled) do
/sbin/e-smith/db mailpatterns show
Check logs for the effectiveness of blocking messages with executable content in the attachments
By reviewing /var/log/qpsmtpd/current and /var/log/qpsmtpd/* entries for rejected messages can be seen with generally enough information as to why the rejection occurred, and therefore the effectiveness of Pattern Matching blocking.
If all of the types of entries shown below are not seen, it will either be due to not having the particular Pattern enabled or not receiving attachments with that type of content.
Date formatted logs can be viewed using the Server Manager View log files panel
To see ALL the log entries do
grep "" /var/log/qpsmtpd/current | tai64nlocal
To see only the rejected message entries and the reason for rejection do
grep "We don't accept email with executable content" /var/log/qpsmtpd/current | tai64nlocal
Here is an example of some typical entries
2004-04-15 12:32:11.892522500 qpsmtp: 554 We don't accept email with executable content ZIPV1 (#5.3.4) 2004-04-15 15:23:40.765202500 qpsmtp: 554 We don't accept email with executable content EXE01 (#5.3.4) 2004-04-15 15:33:08.132041500 qpsmtp: 554 We don't accept email with executable content EXE12 (#5.3.4) 2004-04-15 15:33:09.021650500 qpsmtp: 554 We don't accept email with executable content PIF (#5.3.4)
Alternatively filter on the pattern type code to see how many messages with a particular type of executable content are being rejected
grep EXE01 /var/log/qpsmtpd/current | tai64local
2004-04-15 15:23:40.765202500 qpsmtp: 554 We don't accept email with executable content EXE01 (#5.3.4) 2004-04-15 15:33:08.132041500 qpsmtp: 554 We don't accept email with executable content EXE01 (#5.3.4) 2004-04-15 15:33:09.021650500 qpsmtp: 554 We don't accept email with executable content EXE01 (#5.3.4) 2004-04-15 15:33:24.986426500 qpsmtp: 554 We don't accept email with executable content EXE01 (#5.3.4)
Web sites for background information
These links may be of interest. Note that they do not specifically apply to SME Server, so DO NOT implement them. They are listed for background information only.
Prior version of this Howto for sme6.x
Here is a link to an earlier old HowTo written for sme6.x.