PMG v8.0.7 Mail with tgz attachment and an exe file inside

gonza55

Active Member
Jul 10, 2019
9
3
43
50
Hello,
The last week I upgraded PMG to 8.0.7 version.
I have a rule to scan and block dangerous files. I think that with version 7 of PMG it was working fine, but I detected an email with a TGZ attachment that had an executable (Virus) inside, and PMG v8 has not quarantined.
Best regards,

The log of mail:
Sep 06 13:38:31 mail postfix/smtpd[108980]: connect from dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:31 mail postfix/smtpd[108980]: Anonymous TLS connection established from dd40514.kasserver.com[85.13.132.128]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Sep 06 13:38:31 mail pmgpolicy[108622]: SPF says pass
Sep 06 13:38:31 mail postfix/smtpd[108980]: D7DF520B25: client=dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:31 mail postfix/cleanup[108988]: D7DF520B25: message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:32 mail postfix/qmgr[778]: D7DF520B25: from=<info@karosserie-johannes.de>, size=581338, nrcpt=1 (queue active)
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 2023/09/06-13:38:32 CONNECT TCP Peer: "[127.0.0.1]:46758" Local: "[127.0.0.1]:10024"
Sep 06 13:38:32 mail postfix/smtpd[108980]: disconnect from dd40514.kasserver.com[85.13.132.128] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: new mail message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: found archive 'Transaccion_202207271553175701_8000044177100-1.tgz' (application/gzip)
Sep 06 13:38:32 mail pmg-smtp-filter[108954]: 214D164F864B844A95: unpack archive 'Transaccion_202207271553175701_8000044177100-1.tgz' done (67 ms)
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: SA score=0/5 time=0.766 bayes=0.00 autolearn=ham autolearn_force=no hits=BAYES_00(-1.9),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),HTML_IMAGE_ONLY_20(1.546),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_HI(-5),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Sep 06 13:38:33 mail postfix/smtpd[108994]: connect from localhost.localdomain[127.0.0.1]
Sep 06 13:38:33 mail postfix/smtpd[108994]: 6C26721508: client=localhost.localdomain[127.0.0.1], orig_client=dd40514.kasserver.com[85.13.132.128]
Sep 06 13:38:33 mail postfix/cleanup[109012]: 6C26721508: message-id=<20230906113517.7A01EB9C2BBB@dd40514.kasserver.com>
Sep 06 13:38:33 mail postfix/qmgr[778]: 6C26721508: from=<info@karosserie-johannes.de>, size=582508, nrcpt=1 (queue active)
Sep 06 13:38:33 mail postfix/smtpd[108994]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: accept mail to <xxxxxx@xxxxxx.xxx> (6C26721508) (rule: default-accept)
Sep 06 13:38:33 mail postfix/smtp[109017]: Untrusted TLS connection established to 172.26.0.xx[172.26.0.xx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Sep 06 13:38:33 mail pmg-smtp-filter[108954]: 214D164F864B844A95: processing time: 1.23 seconds (0.766, 0.283, 0)
Sep 06 13:38:33 mail postfix/lmtp[108989]: D7DF520B25: to=<xxxxxx@xxxxxx.xxx>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.39/0/0.04/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (214D164F864B844A95))
Sep 06 13:38:33 mail postfix/qmgr[778]: D7DF520B25: removed
Sep 06 13:38:33 mail postfix/smtp[109017]: 6C26721508: to=<xxxxxx@xxxxxx.xxx>, relay=172.26.0.xx[172.26.0.xx]:25, delay=0.23, delays=0.08/0/0.01/0.14, dsn=2.6.0, status=sent (250 2.6.0 <20230906113517.7A01EB9C2BBB@dd40514.kasserver.com> [InternalId=215006062837934, Hostname=xxxx.xxxxxxx.local] 583849 bytes in 0.123, 4629,109 KB/sec Queued mail for delivery)
Sep 06 13:38:33 mail postfix/qmgr[778]: 6C26721508: removed


Mail Filter Rule
1694502805479.png
 
Last edited:
could you please tell us how the file inside the tgz is called - also what does `file` say the content type of the is?
 
Hello,
I think the problem may have come because inside the TGZ attachment, there was a TAR File and inside there was an EXE File (Virus)
It Is right?
Can I quarantine the mail in these situations?
Best regards,
1694513587335.png
 
Last edited:
It Is right?
I don't think so - but can try this as well

please provide the information I requested:
* `file attachment.tgz`
* `tar -xzf attachment.tgz` (unpacks the tarball)
* `file <contents of the .tgz>`
 
Hello,
The name of the file attached is Transaccion_202207271553175701_8000044177100.tgz and the content of the file is Transaccion_202207271553175701_8000044177100.tar.
The content of file Transaccion_202207271553175701_8000044177100.tar is Transaccion_202207271553175701_8000044177100.exe (Virus)
Best regards,
 
Last edited:
I don't think so - but can try this as well

please provide the information I requested:
* `file attachment.tgz`
* `tar -xzf attachment.tgz` (unpacks the tarball)
* `file <contents of the .tgz>`
I have detected the same behavior, including. It was not given the proper monitoring, nor did it respond with a solution. Almost a year and a half ago. PMG 8.1.6.