PDA

View Full Version : Filtering email with attachments?



ian
08-21-2003, 04:09 AM
Hi,

Recently, there's been a large increase (100s every day) in the number of junk emails I receive with PIF and SCR file attachments.

Since I never expect to be sent those files in normal circumstances (they're obviously viruses), I've set my email reader to trash any email received with those attachments. But the email reader has to download the email before it filters it, and I'd rather not download the email at all... so I was wondering if there's some way to do that filtering/trashing on the Westhost server side of things?

Thanks,
Ian.

FZ
08-21-2003, 08:05 AM
I have the same problem. I've received more than 2000 (literally!) in little over 3 days. However, there is a short term solution that I have implemented which saved me from downloading about 200MB of virii... Procmail. If you haven't already had a look at it, check out this post: http://forums.westhost.com/phpBB2/viewtopic.php?t=151#538 It should get you set up. Basically, you can block these particular messages by subject. I only seem to have 3 or 4 variants ("Thank you!", "Wicked Screensaver", "Your Application", ...) so it is easy for me to send those straight to a folder in my home/username/mail directory which I can glance through with Pine (through SSH) at the end of the day instead of having to download them.

Okay, so now the long term solution? An anti-virus or something similar to weed out the bad e-mails automatically and reliably. I have not tried it, but I have heard great things about clamav - http://clamav.elektrapro.com/ and Sanitizer - http://www.linux-mag.com/2001-08/guru_03.html The problem here would be, though, the time required to sit and configure them, not to mention installing them and actually getting them working on your account! I think you'd have to wait for WestHost 2.0 before you could even try...

Good luck. If you can't figure out Procmail, let me know and I'll post what I have in mine that stops the junk (including returned mail supposedly because you sent the virus - which you didn't because the **** thing spoofs you in the From: header).

ian
08-21-2003, 11:47 AM
Sounds promising. If you can post your working config, that'd be great. Thanks!

FZ
08-21-2003, 01:00 PM
Ian,

Here is what is in my .procmailrc (only the relevant bits here). I'm assuming you understood how to implement it after reading my detailed post...



PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/bin:/home/username/bin
MAILDIR=$HOME/mail
LOGFILE=$HOME/procmail.log
#VERBOSE=yes

:0:
* ^From: admin@your.domain
/dev/null

:0
* ! ^To.*unfiltered@your.domain
{
:0:
* ^Subject.*Undeliver(ed|able) ((e)?mail|message)|^Subject.*returned (mail|message)|^Subject.*mail delivery|^Subject.*mail (delivery|system)|^Subject.*delivery ((status)? notification|failure)|^Subject.*failure notice|^Subject.*daemon|^Subject.*(virus found|found virus|virus detected|detected a virus|virus alert|failed to clean virus|unrepairable|viruses|virus in your mail|network associates webshield|potentially unsafe content)|\
^Message-Id.*@westhost35
Virus-Epidemic

:0:
* ^X-Spam-Flag: YES|^To.*Undisclosed|! ^To.*@your.domain|^To.*@westhost35|^From.*@westhos t35
Spam

:0:
* ^Subject: A (very|special)? ( )?(powful|humour|funny|nice|new|excite|good) (game|tool|website|web site)$|\
^Subject: (document.write|frame(spacing|border|margin)|backg round|screensaver|marginheight|cell(spacing|paddin g)|cleartimeout|scrolling|onmouse|my events|nedstat|google)|\
^Subject: (have a (funny|new|excite|good|humour)|happy) assumption$|\
^Subject: BtVS and Angel Shippers Site$|\
^Subject: (Re: )?Thank you!$|\
^Subject: (Re: )?Wicked Screensaver$|\
^Subject: Dominoes$|\
^Subject: (Re: )?(Re: )?(My )?(details|approved)$|\
^Subject: A (WinXP|IE 6.0) patch$|\
^Subject: (Re: )?Re: (My |your |That )?(Application|Movie)$|\
^Subject: Introduction on ADSL$|\
^Subject.*Worm Klez.E Immunity|\
^Subject.*removal tools|\
^Subject: leftmargin$|\
^Subject: please try again$|\
^Subject.*so cool a flash|\
^Subject.*be friends$|\
^Subject.*Instant message|\
^Subject: 2001, 2002 phpBB Group$|\
^Subject: H(i|ello),(fayez|honey)$|\
^Subject: fayez,some questions$|\
^Subject: Some questions$|\
^Subject: How are you$|\
^Subject.*meeting notice|\
^Subject.*darling|\
^Subject: (hi )?congratulations$|\
^Subject.*garden of eden|\
^Subject: your password$|\
^Subject.*eager to see you|\
^Subject.*sos|\
^Subject.*hometown|\
^Subject.*rights reserved$|\
^Subject.*spice girl|\
^Subject.*Japanese|\
^Subject.*klik|\
^Subject: LANGUAGE$|\
^Subject: Questionnaire$|\
^Subject.*my beautiful girl friend|\
^From.*(Dispatch@McAfee.com|gilliansl)
Virii
}

:0:
${DEFAULT}


Where username should be replaced by your WestHost username in each case, your.domain with your domain name.

Just a quick explanation of the above code:

I frequently get the "admin@domain", "subject: your account" e-mails (i.e. with the viral attachments), and since the only person that can legitimately send me e-mail from that address is me, I know to send it straight to trash.

I've set up a couple of addresses that are not checked against any rules at all - addresses I know that never receive any junk or virii because they are not published on the net. For example, I have a special address that I use for WestHost...

Right, the next chunk of code... This is the one that does most of the stopping. Since these **** virii spoof my address as a from: I get about 50 "mail delivery failed because your e-mail contained a virus" messages a day. So, I'm filtering them. Up until yesterday, I was only filtering ones NOT from MAILER-DAEMON@westhost... (which would be the only address that sends legit mail delivery notifications), but the friggin virii now spoof this address too (great!). My point is that all your undelivered mail messages, be it legit or otherwise will be sent to the Virus-Epidemic mailbox (viewable by launching pine from SSH).

The next chunk of code weeds out probable spam. I've set my SpamAssassin filters to a very low tolerance level (so sometimes legit mail is marked as spam). So now, I only get about 5 spam e-mails a week (down from 60/day a little over a month ago). Mail marked as spam (or that has headers indicating it is likely spam) is moved to Spam. I take a glance at it once or twice daily before I delete it permanently.

The huge block of code is what blocks most (but not all) of the Worm.Klez/Sobig/etc. e-mails (by subject). The list is not comprehensive, but easy to add to. I've been using it for about 45 days and not once has it matched on legit mail (because the subjects are always the same, and are not likely "real" subjects).

The last bit is just telling procmail to deliver all other messages (i.e. seemingly legit mail) to your "default" location.

I hope spammers don't use this info to bypass my mail filters now ;)

Let me know how it goes. If you need any other help, just shout.

FZ
08-21-2003, 01:56 PM
Just a correction or two:

westhost35 is the WestHost server my account is on. So replace all occurrences of it with the server your account is on.

Virii and Virus-Epidemic are kind of redundant... You could just use one mailbox (and merge the two rule "sets"), but I chose to make the epidemic box so that when the virus cools down I can remove it's conditions (and therefore un-blacklist the real mailer-daemon). I also did it because Virii gets about 10 mails a day, while the -epidemic one gets a few hundred (easier to delete...) a day.

Finally, "fayez" is the part before the @ in my e-mail address (as extracted by spammers and virii).

ian
08-21-2003, 02:33 PM
I'm unable to get procmail to work. This is what I put in .procmailrc as a little test...


MAILDIR=$HOME/mail
LOGFILE=$HOME/procmail.log
#VERBOSE=yes

:0
* ^Subject:.*test
/dev/null

I sent myself a message with test in the subject, and I received it :(

The .procmailrc file is in my home directory, and I chmod'd it to 644. Is there something else I'm forgetting to do?

Cheers,
Ian.

FZ
08-21-2003, 02:53 PM
Hmm, it never works first time :x

Did you upload the file in ASCII mode? Are you sure you don't have any characters before the .? It has to be .procmailrc (nothing before the . - just a file extension, no "name").

Try removing the # from the 3rd line, and then take a look at procmail.log to see what it says... If it isn't created, there is either an error in your procmail file, you didn't upload it properly or permissions are incorrect...

ian
08-21-2003, 03:14 PM
Yep, all that looks correct...


west18:~$ ls -la
...
-rw-r--r-- 1 userx groupx 90 Aug 21 16:02 .procmailrc
...
west18:~$ cat .procmailrc
MAILDIR=$HOME/mail
LOGFILE=$HOME/procmail.log
VERBOSE=yes

:0
* ^Subject:.*test
/dev/null


Even after uncommenting the "VERBOSE" line, I still get no logfile (it should be in the home dir?), so I guess that means procmail isn't even being invoked?

Could it be because I'm not on the newfangled "Westhost 2" system? Are you?

procmail is installed though...


west18:~$ procmail -v
procmail v3.22 2001/09/10
Copyright (c) 1990-2001, Stephen R. van den Berg <srb@cuci.nl>
Copyright (c) 1997-2001, Philip A. Guenther <guenther@sendmail.com>

Submit questions/answers to the procmail-related mailinglist by sending to:
<procmail-users@procmail.org>

And of course, subscription and information requests for this list to:
<procmail-users-request@procmail.org>

Locking strategies: dotlocking, fcntl(), lockf(), flock()
Default rcfile: $HOME/.procmailrc

FZ
08-21-2003, 03:39 PM
*sigh* That just plain sucks. Maybe you should try WestHost support. And no, I am not on 2.0 as yet. I think someone else was having trouble with procmail as well (also not on 2.0, and on a different server to mine). He could only get it working if he sent mail "internally" i.e. using the "mail" command in SSH... You should give it a go and see. Also, try "echo $HOME" at the prompt to make sure that's fine. Lastly, does the mail directory exist?

Oh, and maybe if you added a second colon after the :0, and added the default code block at the end (probably won't work, but you might as well try it :))

ian
08-21-2003, 04:32 PM
Yep, $HOME is fine, and the "mail" dir exists. Unfortunately, adding the ":" and "$DEFAULT" stuff didn't help. I also tried creating a .forward file, as specified in the procmail FAQ, but that didn't help either.

Just a wild guess, but maybe the redirects are stoping procmail from being invoked? Do you have a .redirect file, or do you have all that stuff in the .procmailrc?

Testing procmail like this...


procmail -m $HOME/.procmailrc <testmessage

...works fine, which suggests that the .procmailrc file is fine, and the problem is indeed that procmail is just not being invoked when email is received.

It was stated in another post here that Westhost don't support procmail, so I don't suppose I can expect them to help with this.

This is really starting to do my head in now :(

Thanks for your help anyway :)

ian
08-21-2003, 04:47 PM
I've just noticed that there's an /etc/procmailrc file on my server (westhost18). Do you have that on your server too?

Btw, it seems to include pretty much the exact filter I was looking for...


:0
* ^Content-Type: MULTIPART/MIXED
{
:0B
*^Content-Disposition: (attachment|inline);
*filename=\/".*\.(bat|bif|exe|pif|com|vbs|cpl|scr)"
/dev/null
}

Now if only I could get procmail to work :D

Also, from the procmail man page...


If no rcfiles and no -p have been specified on the command line, procmail will, prior to reading $HOME/.proc-
mailrc, interpret commands from /etc/procmailrc (if present). Care must be taken when creating /etc/proc-
mailrc, because, if circumstances permit, it will be executed with root privileges (contrary to the
$HOME/.procmailrc file of course).

So I guess procmail ain't working (when email is received) on this server, as if it was, nobody would be receiving any executable attachments. Just as well it's not working then!

ian
08-22-2003, 06:00 AM
Just a wild guess, but maybe the redirects are stoping procmail from being invoked? Do you have a .redirect file, or do you have all that stuff in the .procmailrc?
I've tried removing the .redirect file now, and still procmail was not being invoked... so that's not it :(

ian
08-22-2003, 07:45 AM
I've got the procmail stuff working at the server that I forward my email to... so getting it working on Westhost isn't so important now :)

FZ
08-22-2003, 07:22 PM
Ian,

I don't think procmail would work on e-mail that is being forwarded (.redirect) - i.e. if you forward test@domain to test@anotherdomain, it would not work, but if you didn't forward the former, it should work. Did you try sending mail "internally" using the 'mail' command (SSH) (or try sending the e-mail to yourwesthostusername@westhost18.westhost.net)? Anyway, I still think you should contact WestHost - they don't support Procmail in terms of your OWN files and the errors you get, but they should at least support/verify that it is working properly on your server. And yes, I do have /etc/... I think WestHost recently added the bit to remove e-mail with dangerous attachments as I seem to have stopped receiving e-mails with them! Even so, it is still useful and you could use it on your $HOME/.procmailrc too. Anyway, at least you got it working where you forward your mail to - did you manage to set it up properly and are you able to successfully block the junk?

ian
08-23-2003, 07:39 AM
I don't think procmail would work on e-mail that is being forwarded (.redirect) - i.e. if you forward test@domain to test@anotherdomain, it would not work, but if you didn't forward the former, it should work.
I tried removing the .redirect file, but the email was still forwarded to my default email address, and procmail was not being invoked. Do you have a .redirect file?


Did you try sending mail "internally" using the 'mail' command (SSH) (or try sending the e-mail to yourwesthostusername@westhost18.westhost.net)?
Yep, but still procmail was apparently not invoked - I received the email that should've been trashed, and there was no procmail.log file created.


Anyway, I still think you should contact WestHost - they don't support Procmail in terms of your OWN files and the errors you get, but they should at least support/verify that it is working properly on your server.
Yep, I did report it as a last resort, after trying all I could think of, and got this response: "It appears that procmail is running just fine. I will consult one of the network admins about it when they come in."

I don't think it is working properly, as when I put the same .procmailrc file on the other server, it worked fine. Guess I'll just have to wait and see what the network admin says when they come in.


And yes, I do have /etc/... I think WestHost recently added the bit to remove e-mail with dangerous attachments as I seem to have stopped receiving e-mails with them!
hmm... I hope that doesn't take effect on all emails without the user being able to override it - I want to receive EXE files, just not files that are obviously viruses.


Even so, it is still useful and you could use it on your $HOME/.procmailrc too.
Yep - less wasted bandwidth has got to be good :)


Anyway, at least you got it working where you forward your mail to - did you manage to set it up properly and are you able to successfully block the junk?
Yes, this is working perfectly for me (haven't received a single virus attachment since)...


:0
* ^Content-Type: MULTIPART/MIXED
{
:0B
*^Content-Disposition: (attachment|inline);
*filename=\/".*\.(pif|scr)"
/dev/null
}

FZ
08-23-2003, 08:06 AM
About the .redirect, what I meant was if you are forwarding mail FROM your WestHost account TO another host, procmail will most likely not process that mail which is being forwarded. In other words, for it to work, you'd have to be sending e-mail to a WestHost account POP3 and not to an address you are forwarding to your other account. If, even after removing your .redirect, your mail was still being forwarded, then you should use the Site Manager to remove that forwarding entry (instead of removing .redirect) - also, I think WestHost says that you must wait about 15 minutes for the change to become effective...

I take back what I said about the default procmailrc in /etc/ being active - it isn't active because I am still receiving attachments it is supposed to be removing. However, I copied it across to my own procmailrc and it works like a charm.

ian
08-23-2003, 10:53 AM
You're right about the delay - I left it a while after removing the redirects, and now procmail is being invoked! :)

But the problem is that the /etc/procmailrc is taking effect - I've tried sending myself several EXE attachments, and none have got through. Other attachments (eg. ZIP) have come through. Have you tried sending yourself an EXE file?

FZ
08-23-2003, 11:27 AM
You're right. I don't receive .exe files. I think WestHost put this condition in very recently in an attempt to stop the onslaught of viral attachments (seems to be working, too). I don't know if any of those e-mails actually send .exe's though, I didn't think they did (only .pif, .scr?) Anyway, it's understandable to block attachments of this sort... If you are expecting someone to mail you .exe's you should ask them to zip them up - that's good practice anyway since a lot of other mail servers disallow .exe's and say they should be zipped instead.

So now you've got procmail working (on your WestHost account) 100% then?

ian
08-23-2003, 11:53 AM
I've got it working now! :D

In /etc/procmailrc, you'll find this line...

SWITCHRC=$HOME/.nospam
So I renamed my .procmailrc file to .nospam and now it gets used before the rest of the /etc/procmailrc file.

I think it'd be a good idea for Westhost to change that ".nospam" to ".procmailrc" though, so others don't run into the problems that I have. Also, if Westhost are going to filter out EXE files, then they should atleast send back a notification to the sender (as others I've seen filter EXE files do) - otherwise the sender will assume it's been received when it hasn't.

Anyway, thanks again for your help!

FZ
08-23-2003, 12:30 PM
Glad I could help. I'm happy you finally got it working, too... Procmail really is very, very cool! I did not notice that .nospam thing - well spotted!

You could always easily set up an auto-responder within Procmail yourself if you decide to block a certain file attachment telling the person what happened (just don't do it for .bat, .pif or .scr ;)). Take a look at some of the Procmail tuts on the net or "man procmailex" ;)

ian
08-23-2003, 12:48 PM
You could always easily set up an auto-responder within Procmail yourself if you decide to block a certain file attachment telling the person what happened (just don't do it for .bat, .pif or .scr ;)).
No need - I want to receive all but PIF/SCR attachments... and that's what is happening now :D