Filter Match Field

j0k4b0

Active Member
Apr 1, 2016
59
1
26
27
Hi,

ich bin aktuell dabei den Mail Proxy für einige SPAM E-Mails zu optimieren.

Zum testen verwende ich folgenden Test: https://www.emailsecuritycheck.net/

Diese versenden E-Mail welche u.A. folgenden Anhang haben:
Code:
--XXX
Content-Type: application/x-msdownload;
 name*0*="''attached%2E";
 name*1*="%62";
 name*2=at
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename*0*="''attached%2E";
 filename*1*="%62";
 filename*2=at

echo Your system is vulnerable
pause

--XXX--
Code:
--XXX
Content-Type: application/x-msdownload;
 "name"=attached.bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 "filename"=attached.bat

echo Your system is vulnerable
pause

--XXX--

Wie genau kann ich jetzt diese E-Mail Anhänge filtern?

Ich hatte folgendes probiert:
Field: *filename*
Value: *.*(bat|sh|bash|exe|vbs|msi|pif|lnk|shs|shb|\%)*

Der Teststring funktioniert auch, allerdings vermute ich, dass das Field nicht richtig erkannt wird. Wenn ich da versuche weiter Richtung RegEx gehe erhalte ich folgenden Fehler:
"Parameter verification failed. (400)

field: value does not match the regex pattern"

Ich hoffe, ihr könnt mir helfen! Vielen Dank.
 
Warum möchtest du das per Filename blockieren? Nutze doch direkt "Inhaltstyp Filter" und setze dann den Wert "application/x-msdownload".

Ich habe den Test aber ebenfalls mal gemacht und nun mein "Dangerous Content" dahingehend erweitert. 5 Mails landen in meinem Postfach, davon keine mehr mit dem Anhang, eine ist in der Spam Quarantäne und die andere in der Viren Quarantäne.

Sicherlich ist das ein oder andere nun doppelt abgedeckt, da Dateiname und der Mime Type geprüft wird.
Code:
root@spam01:/# pmgsh get /config/ruledb/what/8/objects
200 OK
[
   {
      "contenttype" : "application/dos-exe",
      "descr" : "content-type=application/dos-exe",
      "id" : "50",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/exe",
      "descr" : "content-type=application/exe",
      "id" : "48",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/javascript",
      "descr" : "content-type=application/javascript",
      "id" : "16",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/msdos-windows",
      "descr" : "content-type=application/msdos-windows",
      "id" : "53",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-dosexec",
      "descr" : "content-type=application/x-dosexec",
      "id" : "47",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-elf",
      "descr" : "content-type=application/x-elf",
      "id" : "56",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-exe",
      "descr" : "content-type=application/x-exe",
      "id" : "49",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-executable",
      "descr" : "content-type=application/x-executable",
      "id" : "17",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-java",
      "descr" : "content-type=application/x-java",
      "id" : "15",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-ms-dos-executable",
      "descr" : "content-type=application/x-ms-dos-executable",
      "id" : "18",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-ms-installer",
      "descr" : "content-type=application/x-ms-installer",
      "id" : "55",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-msdownload",
      "descr" : "content-type=application/x-msdownload",
      "id" : "46",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-sh",
      "descr" : "content-type=application/x-sh",
      "id" : "57",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-winexe",
      "descr" : "content-type=application/x-winexe",
      "id" : "52",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "message/partial",
      "descr" : "content-type=message/partial",
      "id" : "19",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "text/x-perl",
      "descr" : "content-type=text/x-perl",
      "id" : "58",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "text/x-python",
      "descr" : "content-type=text/x-python",
      "id" : "59",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "vms/exe",
      "descr" : "content-type=vms/exe",
      "id" : "51",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "descr" : "filename=.*\\.(bat|vbs|pif|lnk|shs|shb|ade|adp|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|mde|msc|msp|mst|scr|sct|sys|vb|vbe|vxd|wsc|wsf|wsh|reg)",
      "filename" : ".*\\.(bat|vbs|pif|lnk|shs|shb|ade|adp|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|mde|msc|msp|mst|scr|sct|sys|vb|vbe|vxd|wsc|wsf|wsh|reg)",
      "id" : "20",
      "ogroup" : 8,
      "otype" : 3004,
      "otype_text" : "Match Filename",
      "receivertest" : 0
   },
   {
      "descr" : "filename=.*\\.\\{.+\\}",
      "filename" : ".*\\.\\{.+\\}",
      "id" : "21",
      "ogroup" : 8,
      "otype" : 3004,
      "otype_text" : "Match Filename",
      "receivertest" : 0
   }
]
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!