2015/02/03

mailscanner 誤判問題



通知信的附件

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "PI-9136%28200201.pdf"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

If you wish to receive a copy of the original attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Mon Feb  2 22:27:22 2015 the virus scanner said:
   MailScanner: Attempt to hide real filename extension (PI-9136%28200201.pdf)

Note to Help Desk: Look on the lnx02 MailScanner in /var/spool/MailScanner/quarantine/20150202 (message 45E9411E30.AA5AE).
--
Postmaster

For all your IT requirements visit: http://www.transtec.co.uk

說明:
在 mailscanner 中有一個設定,若偵測到重覆的 副檔名,則推定是惡意攻擊的一種,會將附件隔離,並發通知信通知使用者及管理者

檢查上述的訊息,其實副檔名沒有重覆,真正的問題是,檔名中有一個特殊字元%28,造成 mailscanner 誤判
考量 windows 使用者平常看不到副檔名,因此也會在命名檔名時,加上副檔名
這種重覆命名副檔名的動作,會造成誤判
因此移除這個設定,避免誤判
設定值:
/etc/Mailscanner/filename.rules.conf
# Deny all other double file extensions. This catches any hidden filenames.
allow  \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding                          Attempt to hide real filename extension

於測試時,用一個純文字檔,測試重覆副檔名是否可寄進來時,出現另一個問題

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "msg-9356-13.txt.txt"
is on the list of unacceptable attachments for this site and has been
replaced by this warning message.

If you wish to receive a copy of the original attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Tue Feb  3 11:31:51 2015 the virus scanner said:
   MailScanner: No programs allowed (msg-9356-13.txt.txt)

Note to Help Desk: Look on the lnx02 MailScanner in /var/spool/MailScanner/quarantine/20150203 (message 1978111E30.A783B).
--
Postmaster

For all your IT requirements visit: http://www.transtec.co.uk

寄來的明明是純文字檔,內容如下:

這是您傳送電子郵件訊息的回條
於 2015/2/2 下午 05:12

這個回條確認郵件已經顯示在收件者的電腦上於 2015/2/2 下午 05:48

但確有這樣的錯誤訊息
   MailScanner: No programs allowed (msg-9356-13.txt.txt)

詳細解說在這:

This is because "file -i" uses a totally different file of "magic
strings" to look for than the normal "file" command does without the "-i".
I would fix it by finding the string in your normal "magic" file that
triggers the "COM executable" result and comment it out.
My line (RHEL 5) looks like this:
0      byte            0xe9            DOS executable (COM)
so you're looking for a line like that, in /usr/share/file/magic (though
the location of your "magic" file may vary and will be documented in
"man file" output.

原始設定,是使用 file

# Where the "file" command is installed.
# This is used for checking the content type of files, regardless of their
# filename.
# To disable Filetype checking, set this value to blank.
File Command = /usr/bin/file

去判斷檔案是哪種類型

而file 不帶任何參數時,只要看到特殊字元(magic string),就會把檔案判定是執行檔

mailscanner 的作者承諾之後的版本會修正,在修正之前,先修正 mailscanner 中 file 的參數

# Where the "file" command is installed.
# This is used for checking the content type of files, regardless of their
# filename.
# To disable Filetype checking, set this value to blank.
File Command = /usr/bin/file -i

這樣就不會有誤判的問題

更改設定後,於gmail 試寄一個 .exe 的壓縮檔,結果 gmail 拒絕寄出,說內含 .exe

於是到 yahoo 試寄 .exe 的壓縮檔,yahoo 寄出了,然後我方的 mailscanner 有掃出含 .exe 並進行隔離,有通知使用者和管理者,是因為 .exe 而遭到隔離

剩下最後一個問題是,被隔離的信件如何取回


並略作修正的 script 如下:

!/bin/sh

if [ -z "$1" ]; then
        echo "Syntax: release.sh i.e. 5B604228086.932F0 (case sensitive)"
        exit
fi

#change in the quarantine folder
folder=`find /var/spool/MailScanner/quarantine/ -name $1`
cd $folder

#set the mailfile executable
mailname=`echo $1 | cut -d . -f 1`
chmod u+x $mailname

#lets get the first character
char=`echo $1 | cut -b 1-1`

#實測一定要建立資料匣,可能是新版 postfix 的關係
sudo -u postfix mkdir -p /var/spool/postfix/incoming/$char

#copy the mail
cp -a $mailname /var/spool/postfix/incoming/$char/

echo Mail $mailname released

執行取回的script後,信件會 requeue 並轉到 exchange

不過 exchange 會忽略到信件,因為 message ID 在一個小時內重覆寄


上面的文章有提到,這是 exchange 的安全機制,用意是防止 duplicate mail flood attack

所以一個小時內不可以有重覆的信件 (認 message ID)

沒有留言: