Filter Match Field

J

j0k4b0

Active Member
Apr 1, 2016
59
1
26
28
Hi,

ich bin aktuell dabei den Mail Proxy für einige SPAM E-Mails zu optimieren.

Zum testen verwende ich folgenden Test: https://www.emailsecuritycheck.net/

Diese versenden E-Mail welche u.A. folgenden Anhang haben:
Code: 
--XXX
Content-Type: application/x-msdownload;
 name*0*="''attached%2E";
 name*1*="%62";
 name*2=at
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename*0*="''attached%2E";
 filename*1*="%62";
 filename*2=at

echo Your system is vulnerable
pause

--XXX--
Code: 
--XXX
Content-Type: application/x-msdownload;
 "name"=attached.bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 "filename"=attached.bat

echo Your system is vulnerable
pause

--XXX--

Wie genau kann ich jetzt diese E-Mail Anhänge filtern?

Ich hatte folgendes probiert:
Field: *filename*
Value: *.*(bat|sh|bash|exe|vbs|msi|pif|lnk|shs|shb|\%)*

Der Teststring funktioniert auch, allerdings vermute ich, dass das Field nicht richtig erkannt wird. Wenn ich da versuche weiter Richtung RegEx gehe erhalte ich folgenden Fehler:
"Parameter verification failed. (400)

field: value does not match the regex pattern"

Ich hoffe, ihr könnt mir helfen! Vielen Dank.
 
Warum möchtest du das per Filename blockieren? Nutze doch direkt "Inhaltstyp Filter" und setze dann den Wert "application/x-msdownload".

Ich habe den Test aber ebenfalls mal gemacht und nun mein "Dangerous Content" dahingehend erweitert. 5 Mails landen in meinem Postfach, davon keine mehr mit dem Anhang, eine ist in der Spam Quarantäne und die andere in der Viren Quarantäne.

Sicherlich ist das ein oder andere nun doppelt abgedeckt, da Dateiname und der Mime Type geprüft wird.
Code: 
root@spam01:/# pmgsh get /config/ruledb/what/8/objects
200 OK
[
   {
      "contenttype" : "application/dos-exe",
      "descr" : "content-type=application/dos-exe",
      "id" : "50",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/exe",
      "descr" : "content-type=application/exe",
      "id" : "48",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/javascript",
      "descr" : "content-type=application/javascript",
      "id" : "16",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/msdos-windows",
      "descr" : "content-type=application/msdos-windows",
      "id" : "53",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-dosexec",
      "descr" : "content-type=application/x-dosexec",
      "id" : "47",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-elf",
      "descr" : "content-type=application/x-elf",
      "id" : "56",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-exe",
      "descr" : "content-type=application/x-exe",
      "id" : "49",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-executable",
      "descr" : "content-type=application/x-executable",
      "id" : "17",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-java",
      "descr" : "content-type=application/x-java",
      "id" : "15",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-ms-dos-executable",
      "descr" : "content-type=application/x-ms-dos-executable",
      "id" : "18",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-ms-installer",
      "descr" : "content-type=application/x-ms-installer",
      "id" : "55",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-msdownload",
      "descr" : "content-type=application/x-msdownload",
      "id" : "46",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-sh",
      "descr" : "content-type=application/x-sh",
      "id" : "57",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "application/x-winexe",
      "descr" : "content-type=application/x-winexe",
      "id" : "52",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "message/partial",
      "descr" : "content-type=message/partial",
      "id" : "19",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "text/x-perl",
      "descr" : "content-type=text/x-perl",
      "id" : "58",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "text/x-python",
      "descr" : "content-type=text/x-python",
      "id" : "59",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "contenttype" : "vms/exe",
      "descr" : "content-type=vms/exe",
      "id" : "51",
      "ogroup" : 8,
      "otype" : 3003,
      "otype_text" : "ContentType Filter",
      "receivertest" : 0
   },
   {
      "descr" : "filename=.*\\.(bat|vbs|pif|lnk|shs|shb|ade|adp|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|mde|msc|msp|mst|scr|sct|sys|vb|vbe|vxd|wsc|wsf|wsh|reg)",
      "filename" : ".*\\.(bat|vbs|pif|lnk|shs|shb|ade|adp|chm|cmd|com|cpl|exe|hta|ins|isp|jse|lib|mde|msc|msp|mst|scr|sct|sys|vb|vbe|vxd|wsc|wsf|wsh|reg)",
      "id" : "20",
      "ogroup" : 8,
      "otype" : 3004,
      "otype_text" : "Match Filename",
      "receivertest" : 0
   },
   {
      "descr" : "filename=.*\\.\\{.+\\}",
      "filename" : ".*\\.\\{.+\\}",
      "id" : "21",
      "ogroup" : 8,
      "otype" : 3004,
      "otype_text" : "Match Filename",
      "receivertest" : 0
   }
]
 
You must log in or register to reply here.
Top Bottom