Banned extension delivered

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
pdifeo
Posts: 29
Joined: Sat Sep 13, 2014 3:13 am

Banned extension delivered

Postby pdifeo » Sun Jan 24, 2016 12:05 am

Hi,

using the site at http://www.emailsecuritycheck.net, I have found a problem. I have not investigated deeply, but is worring that an dangerous attachment is delivered.

Three messages were delivered with .bat attachments

Below one of complete messages. Anyone have solutions ?

Return-Path: securitycheck@emailsecuritycheck.net
Received: from <<ZIMBRA>> (LHLO <<ZIMBRA>>) (10.0.2.5)
by <<ZIMBRA>> with LMTP; Sat, 23 Jan 2016 23:16:04 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by <<ZIMBRA>> (Postfix) with ESMTP id 242711026439F5
for <admin@<<ZIMBRA>>>; Sat, 23 Jan 2016 23:16:04 +0100 (CET)
X-Virus-Scanned: amavisd-new at <<ZIMBRA>>
X-Spam-Flag: NO
X-Spam-Score: 0.529
X-Spam-Level:
X-Spam-Status: No, score=0.529 tagged_above=-10 required=6.6
tests=[BAYES_00=-1.9, INVALID_MSGID=0.568, PYZOR_CHECK=3.25,
RP_MATCHES_RCVD=-0.001, SPF_HELO_NEUTRAL=0.112, SPF_PASS=-1.5]
autolearn=no autolearn_force=no
Received: from <<ZIMBRA>> ([127.0.0.1])
by localhost (<<ZIMBRA>> [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id gZUSb0rJB23Q for <admin@<<ZIMBRA>>>;
Sat, 23 Jan 2016 23:16:03 +0100 (CET)
Received: from byteplant.com (outbound.emailsecuritycheck.net [149.202.232.193])
by <<ZIMBRA>> (Postfix) with ESMTPS id 388C41026CB518
for <admin@<<ZIMBRA>>>; Sat, 23 Jan 2016 23:16:03 +0100 (CET)
Received: from localhost ([127.0.0.1] helo=ovh)
by byteplant.com with smtp (Exim 4.80)
(envelope-from <securitycheck@emailsecuritycheck.net>)
id 1aN6Ts-0001Wg-4Z
for admin@<<ZIMBRA>>; Sat, 23 Jan 2016 23:16:28 +0100
Subject: Test mail 5/7 (ID=uxajslTselPa9nxHdkF4kQ==)
Date: Sat, 23 Jan 2016 23:16:28 +0100
Message-ID: emailsecuritycheck.net.5.uxajslTselPa9nxHdkF4kQ==
From: securitycheck@emailsecuritycheck.net
To: admin@<<ZIMBRA>>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=XXX

--XXX
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

You receive this email because you registered for the Byteplant Email Security Check.

This mail contains a harmless executable attachment named "attached.bat".

Even though it is harmless, it should have been removed (or replaced) by your
attachment blocker.
Find out more here on how to protect yourself against unwanted email attachments:
http://www.byteplant.com/cleanmail

--XXX
Content-Type: application/x-msdownload;
"name"=attached.bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
"filename"=attached.bat

echo Your system is vulnerable
pause

--XXX--



Fabio S. Schmidt
Advanced member
Advanced member
Posts: 183
Joined: Fri Apr 25, 2014 12:42 pm

Banned extension delivered

Postby Fabio S. Schmidt » Sun Jan 24, 2016 11:50 am

Hi,



Have you enabled the ".bat" extension blocking?
pdifeo
Posts: 29
Joined: Sat Sep 13, 2014 3:13 am

Banned extension delivered

Postby pdifeo » Sun Jan 24, 2016 12:31 pm

Sure. Otherwise I would not have talked about the problem.


If you read at http://www.emailsecuritycheck.net/, this site make 7 tests. Of these 7, some one (3 messages) pass the blocking rule.


If you see better the message, the MIME section "name" and "filename" they are quoted.


In another message the MIME section is


Content-Type: application/x-msdownload;
name=attached.()bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=attached.()bat


In another


Content-Type: application/x-msdownload;
name=attached
.bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=attached
.bat



Into first two cases, the file on webclient is showed correttly and you can do dowload. In the last case, the filename is trunked as "attached_".


Very dangeurous !


Regards 
Pasquale


pdifeo
Posts: 29
Joined: Sat Sep 13, 2014 3:13 am

Banned extension delivered

Postby pdifeo » Mon Jan 25, 2016 11:29 pm

perhaps my poor English will not be the right judgment on the issue. It possible that no one cares about this issue?



Sure. Otherwise I would not have talked about the problem.


If you read at http://www.emailsecuritycheck.net/, this site make 7 tests. Of these 7, some one (3 messages) pass the blocking rule.


If you see better the message, the MIME section "name" and "filename" they are quoted.


In another message the MIME section is


Content-Type: application/x-msdownload;
name=attached.()bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=attached.()bat


In another


Content-Type: application/x-msdownload;
name=attached
.bat
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=attached
.bat



Into first two cases, the file on webclient is showed correttly and you can do dowload. In the last case, the filename is trunked as "attached_".


Very dangeurous !


Regards 
Pasquale


Return to “Administrators”

Who is online

Users browsing this forum: erfant4rget and 12 guests