ZIP file attachment not recognized and therefore no file check performed
Alex Neuman van der Hans
alex at vidadigital.com.pa
Wed Oct 16 15:53:38 IST 2013
It's not the first time I've encountered problems with a similar setup.
Barracuda gateways mangle the e-mails in unpredictable, nonstandard ways - first of which being that all e-mail appears to come from the gateway, making IP-based blocklists using "fail2ban" difficult, just to give one example.
I'd personally rather depend on an open source system that *does* work, like MailScanner; I would question the usefulness of a Barracuda mail gateway that not only is useless against 0-day exploits, but also mangles e-mail in unpredictable ways "breaking" other lines of defense instead of working in tandem.
MailScanner does archiving, MCP, and a bunch of other things that Barracuda either doesn't do outright or charges through the nose to do.
Your lab may have a different configuration; it may be that you have a rule such as "accept e-mail from 192.168.x.y as is" and you're not really scanning the way you believe you are. Assume nothing.
You mention you've tried sending from GMail. Have you tried reproducing the actual, real environment the originals were sent in? GMail is probably "doing things right" and not sending "weird" e-mails. Perhaps you'd have to go as far as infecting a VM and seeing what it does.
Do you accept TNEF? It's also unpredictable enough to be used by some virus writers since only Microsoft understands it - and not 100% at that. Is the exploit TNEF-encoded?
Perhaps with some additional details regarding the nature of the "0-day" we can look further into it.
… and at least, with MailScanner, you get real help from real users, not boilerplate "it's not my problem" e-mails from a manufacturer that doesn't really care about your problems.
Alex Neuman van der Hans
Reliant Technologies / Vida Digital
Follow @AlexNeuman on Twitter
On Oct 16, 2013, at 8:30 AM, Tony Larco <tlarco at polr.com> wrote:
> I apologize if this has been answered in another thread. I did spend quite some time poking through the archived mailing list articles, the MailScanner docs, and googling around, but we are just stumped and are hoping a MailScanner guru could enlighten us about this situation.
> First, we are running the following (from /usr/sbin/MailScanner -v) -
> This is SUSE Linux Enterprise Server 10 (x86_64)
> This is Perl version 5.008008 (5.8.8)
> This is MailScanner version 4.78.17
> Using F-Prot for AV scanning
> High level overview - We use Barracuda's for our mail gateways that hand off to MailScanner before getting routed to the appropriate mail server for delivery. This solution has worked great for years, but last week something strange happened that we cannot figure out.
> On Friday we started receiving emails that contained some kind of 0-day malware. The Barracudas were blocking some of these email, but based on score and not on the emails containing a virus. Later in the day Barracuda started recognizing the virus so the problem was mitigated at the mail gateway, but some did slip by the first line of defense and were passed to MailScanner.
> The attachment was a zipped up EXE file, but something was unique about these messages. We block ZIP and EXE files to most of our users, but our MailScanner instance was not acknowledging these emails contained a ZIP file and therefore not doing the "Filename Check". What is very interesting is when MailScanner delivered the email to an invalid recipient and it was bounced back to the sender, MailScanner detected the existence of a ZIP file and blocked it on the way out! But not on the way in! This is the heart of the issue... how can we determine why these messages were not interrogated while other (legit) zip files were being rejected at the same time?
> We observed these emails were encoded with windows-1251 encoding (http://en.wikipedia.org/wiki/Windows-1251) and the content type of the attachment was simply "Content Type ;" Other than that, we did not see anything out of the ordinary with these emails.
> We tried to create a zip file of the same name as the malware and send it from gmail and the ZIP file was detected immediately by MailScanner, so we were not able to reproduce the problem strictly by name. Now that F-prot is detecting this, its getting dropped for containing a virus, and we can really cannot test further in our production environment. We took this into our lab, but we were not testing with the exact same version of MailScanner and we were not able to recreate the problem. In our minds, whether MailScanner could detect the virus or not, it should have detected the ZIP and/or EXE and rejected it for this reason alone.
> Any information about this issue would be greatly appreciated. Management is now questioning the usefulness of MailScanner versus some commercial offering, but I believe in FOSS. Thank you in advance for taking the time to read this post!
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> Before posting, read http://wiki.mailscanner.info/posting
> Support MailScanner development - buy the book off the website!
More information about the MailScanner