Blocking .exe email attachments

6 posts / 0 new
Topic locked
Last post
#1 Mon, 04/20/2009 - 09:42
jaldeguer

Blocking .exe email attachments

I have just completed a Virtualmin GPL install on a newly installed Debian Lenny, using the install script. Both virus and spam filtering are enabled under the features and plugins. I sent a test e-mail using usermin to one of the local accounts with an attached .exe file. The e-mail got delivered in the inbox with the .exe attachment. I assume since this wasn't a real virus, clamav did not quarantine the e-mail. Unlike other content e-mail filters which quarantines file extensions based on what extensions you want blocked. Is my assumption correct?

Mon, 04/20/2009 - 15:17
andreychek

Howdy,

ClamAV by itself doesn't block files by their extension, it's looking for specific kinds of viruses and trojans.

I've never tried to configure Clam to block files based on their extensions, though it might be simpler to do that from within Postfix using the mime header checks or similar.

However, if you're just concerned about seeing that it's working, you could try sending the eicar test virus, which is harmless, but Clam would still stop it:

http://www.eicar.org/anti_virus_test_file.htm

Sun, 06/07/2009 - 07:52 (Reply to #2)
sgrayban

You can use /etc/procmailrc to do this sitewide.

Postfix:

Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:

[code:1]
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
bat|exe|scr))(\?=)?"?\s*(;|$)/x
REJECT 598 Attachment name "$2" may not end with ".$3"
[/code:1]

(this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)

Procmail:

[code:1]
:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null
[/code:1]

Mon, 04/20/2009 - 18:54
Joe
Joe's picture

If you just want extension based blocking, then you could save yourself a <i>ton</i> of resources. ClamAV is an anti-virus filter. It is not an extension-based blacklist. It would be a bug if it blocked an email just because it contained an exe file. (Also note than the anti-virus configuration in Virtualmin defaults to throwing the email away if it contains a virus. It does not &quot;defang&quot; the email and then deliver it. There is software that does that, like MIMEDefang, but that's not suitable for the majority of non-technical users.)

--

Check out the forum guidelines!

Tue, 04/21/2009 - 13:05
jaldeguer

Thank you both for the detailed answer, that was what I needed to know!

Thu, 01/20/2011 - 16:08
ravendawson

As far as extension blocking is concerned, just wondering if anybody have experience with TXD spam filtering. I was lead to believe that TXD can block certain types of attachments like file extension exe nad .scr from getting through. But still a lot of email accounts still receive quite a bit amount of spam and one of them received an email that looks like a hoax/virus type and contains this .exe attachment. Can someone share any thoughts on this?

Topic locked