Hi.
I'm using Zimbra Open Source edition 8.8.15 for about 3 months now. I noticed that some senders send us encrypted .zim or .pdf files that are automatically blocked by ClamAV with message: Heuristics.Encrypted.PDF FOUND.
I need to bypass this check for some senders. I tried to do this by following Zimbra wiki, but no success so far: https://wiki.zimbra.com/wiki/Improving_Anti-spam_system
Disabling "block encrypted archives" is not an option for me. Reading older forum posts hasn't been helpful also.
Has anyone managed to bypass ClamAV check for a specific sender?
bypass ClamAV check for a specific sender
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: bypass ClamAV check for a specific sender
viewtopic.php?f=15&t=64117#p295675
Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit.
HTH,
Jim
Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit.
HTH,
Jim
Re: bypass ClamAV check for a specific sender
It seams to me like your solution allows all encrypted PDF's. Is there a way to completely bypass the filters for a certain sender?
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: bypass ClamAV check for a specific sender
As written the rule J_ENCR_PDF allows all encrypted PDF's to run through your spam scoring engine which may or may not be scored to spam or discard. To give it a better chance of getting to the inbox, you would want to give it some negative points and perhaps lock it to a few trusted sources ... Being a little more specific to what I wrote above and provide a more specific solution.st3 wrote:It seams to me like your solution allows all encrypted PDF's. Is there a way to completely bypass the filters for a certain sender?JDunphy wrote: viewtopic.php?f=15&t=64117#p295675
Create a meta rule with SA and negatively score a hit on that rule when it also matches your users and encrypted pdf hit.
Code: Select all
Requires: /opt/zimbra/common/sbin/amavisd this entry in @virus_name_to_spam_score_maps
# [ qr'^Heuristics\.Encrypted\.PDF' => 0.1 ], #JAD
header J_ENCR_PDF X-Amavis-AV-Status =~ m{Heuristics\.Encrypted\.PDF}i
score J_ENCR_PDF 0.1
describe J_ENCR_PDF Allow encrypted pdf's through
header __TRUSTED_SENDER From =~ /someuser\@example\.com|anotheruser\@example\.net/i
meta st3_ENCRYPTED_PDF_SENDER ( __TRUSTED_SENDER && J_ENCR_PDF)
score st3_ENCRYPTED_PDF_SENDER -7
describe st3_ENCRYPTED_PDF_SENDER Allow some users to send encrypted pdfs
Now the difficult question... Do you believe encrypted pdf's are harmful. If you do then that J_ENCR_PDF rule would open that pathway for the entire system and all the users as you noted.
To mitigate some of that If you don't want to allow encrypted pdf's to land in the other users inbox or spam folders, you could add this layer.
Code: Select all
meta st3_SCORE_ENCR_PDF (J_ENCR_PDF)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs
You could also score that initial J_ENCR_PDF rule much higher than 0.1 and then compensate with a higher negative score for your trusted sender in the examples given here.
HTH,
Jim
If you haven't written a Spamassassin (SA) rule before, the wiki article below may help and has other starting links to help write SA rules for the Spamassassin project. Writing rules is pretty simple once you see a few and get the general concept of what is going on.
Ref: https://wiki.zimbra.com/wiki/JDunphy-SA-RuleWriting
Re: bypass ClamAV check for a specific sender
Still haven't figured it out:
Her is my config
/opt/zimbra/data/spamassassin/localrules/sauser.cf
Ant my /opt/zimbra/common/sbin/amavisd:
With this configuration I can send encrypted PDF's from any mail sender. But I need to allow incoming encrypted pdf's only from info@externaldomain.com
Her is my config
/opt/zimbra/data/spamassassin/localrules/sauser.cf
Code: Select all
Requires: /opt/zimbra/common/sbin/amavisd this entry in @virus_name_to_spam_score_maps
# [ qr'^Heuristics\.Encrypted\.PDF' => 0.1 ], #JAD
header J_ENCR_PDF X-Amavis-AV-Status =~ m{Heuristics\.Encrypted\.PDF}i
score J_ENCR_PDF 0.1
describe J_ENCR_PDF Allow encrypted pdf's through
header __TRUSTED_SENDER From =~ /username\@mail\.domain\.com/i
meta st3_ENCRYPTED_PDF_SENDER ( __TRUSTED_SENDER && J_ENCR_PDF)
score st3_ENCRYPTED_PDF_SENDER -7
describe st3_ENCRYPTED_PDF_SENDER Allow some users to send encrypted pdfs
meta st3_SCORE_ENCR_PDF (J_ENCR_PDF)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs
Code: Select all
@virus_name_to_spam_score_maps =
(new_RE( # the order matters, first match wins
[ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],
[ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],
[ qr'^Heuristics\.Encrypted\.PDF' => 0.1 ], #JAD
[ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: bypass ClamAV check for a specific sender
Without seeing these 2 headers... From and Return-Path, this is a guess. Also you don't say if the encrypted pdf was still virus scanned or didn't show up nor if you restarted amavis. I do see one obvious problem when desk checking your rules.
You are scoring -7 points to your trusted sender (provided the From header matched) and then scored them 15 points because it was an encrypted PDF's. Probably not what you had intended as that could either score it to junk or with other rules to discard.
You want something like this:
Restart amavis to see new rules change.
Hint: Run spamassassin in debug mode to test your rules and it saves you from having to restart amavis until you have your rules/logic working correctly. If you run spamassassin in debug mode, you could see if st3_ENCRYPTED_PDF_SENDER matched. Simple to do... save email into text file and then use -D option and look at the output of the rules that matched. Wiki link shows how to run spamassassin in debug mode. If you don't have an email to use for testing... amavis will put its input files here: /opt/zimbra/data/amavisd/tmp/ when it breaks up all the attachments into separate files for clamav scanning. Each directory represents an email with the original and any attachments under parts. The other way is get the original email to test against is to pull it from clamav if it has quarantine it. I have a script that gives that quarantined location/pathname provided you give it the internal reference code.
You are scoring -7 points to your trusted sender (provided the From header matched) and then scored them 15 points because it was an encrypted PDF's. Probably not what you had intended as that could either score it to junk or with other rules to discard.
Code: Select all
meta st3_SCORE_ENCR_PDF (J_ENCR_PDF)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs
Code: Select all
meta st3_SCORE_ENCR_PDF (J_ENCR_PDF && !st3_ENCRYPTED_PDF_SENDER)
score st3_SCORE_ENCR_PDF 15
describe st3_SCORE_ENCR_PDF discard encrypted pdfs
Code: Select all
# su - zimbra
% zmamavisdctl restart
Re: bypass ClamAV check for a specific sender
It looks like it is still virus checked by Clamav.
In Spamassassin debug mode I'm getting a score of 1.107. As I understand than in passes the check. Is it correct?
If I add to /opt/zimbra/common/sbin/amavisd, than Encrypted PDF's work for all users. If I remove it Clamd.log says :
Other rules writen in sauser.cf work, but they are simple rules that block a sender by its From address.
In Spamassassin debug mode I'm getting a score of 1.107
Code: Select all
Feb 17 10:19:49.525 [29521] dbg: check: is spam? score=1.107 required=5
If I add
Code: Select all
[ qr'^Heuristics\.Encrypted\.PDF' => 0.1 ], #JAD
Code: Select all
/opt/zimbra/data/amavisd/tmp/amavis-20200217T101624-26495-IM14NOIj/parts/p002: Heuristics.Encrypted.PDF FOUND