How to prevent members to attach executables (exe, bat, ...) to the emails sent to list
Hi,
I am trying to find a way for content filtering to remove executables from the emails sent to the list. I found some hints under: https://mailman.readthedocs.io/en/stable/build/lib/mailman/handlers/docs/fil...
but still not clear how to do it for all type of excecutables.
Best regards Mohsen
On 9/30/20 9:25 AM, Mohsen Masoudfar wrote:
Hi,
I am trying to find a way for content filtering to remove executables from the emails sent to the list. I found some hints under: https://mailman.readthedocs.io/en/stable/build/lib/mailman/handlers/docs/fil...
but still not clear how to do it for all type of excecutables.
There are four list settings that affect this. They are pass_types, pass_extensions, filter_types and filter_extensions. the pass_* settings specify message parts the list will accept while the filter_* settings specify message parts the list won't accept. The page at <https://mailman.readthedocs.io/en/stable/src/mailman/handlers/docs/filtering.html> only discusses filter_types and needs updating for the others.
Filtering by extension only works on message parts that have an associated file name. Thus, while you can add things like 'exe', 'bat', 'cmd', 'com', 'pif', 'scr', 'vbs' and 'cpl' to filter_extensions, it won't be completely effective.
A better approach is to use MIME types[1] and only allow those you want. For a discussion list, a reasonable set is what this list uses:
multipart message/rfc822 text application/pgp-signature
This will accept any multipart and message/rfc822 parts for further analysis and ultimately accept only text/* and application/pgp-signature elemental parts. If you want to accept images and pdfs, you can add
image application/pdf
See <https://www.iana.org/assignments/media-types/media-types.xhtml> for a list of all registered MIME types. Note that these are all of the form
main_type/sub_type
and putting just
main_type
in *_types passes or filters all subtypes for that maintype.
[1] You can use both, e.g. filter_extensions to remove those you don't want and pass_types to accept the MIME types you do want.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi Mark, Thanks again for the helpful hint. It seems that I still miss something. I am running Mailman3.1.1. I ran the following on my test server. I am trying, for test purpose only, to filter PDF attachments.
First I just used the pass_type, assuming once this is set, everything else is filtered.
# mailman withlist testlist3@x.com
m.pass_types = ['multipart', 'message/rfc822', 'text', 'application/pgp-signature'] commit() print(list(m.pass_types)) ['multipart', 'message/rfc822', 'text', 'application/pgp-signature']
This let PDF be send by Mailman3. Well, I need to add filter_types too, so I did this:
m.filter_types = ['application/pdf'] commit() print(list(m.filter_types)) ['application/pdf']
Mailman3 still distributes PDF files as attachment. What am I doing wrong?
This is the final settings:
print(list(m.pass_types)) ['multipart', 'message/rfc822', 'text', 'application/pgp-signature'] print(list(m.filter_types)) ['application/pdf']
Thanks Mohsen
Thanks Mohsen
-----Original Message----- From: Mark Sapiro <mark@msapiro.net> Sent: Wednesday, September 30, 2020 1:07 PM To: mailman-users@mailman3.org Subject: [MM3-users] Re: How to prevent members to attach executables (exe, bat, ...) to the emails sent to list
[EXTERNAL EMAIL]
On 9/30/20 9:25 AM, Mohsen Masoudfar wrote:
Hi,
I am trying to find a way for content filtering to remove executables from the emails sent to the list. I found some hints under: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail man.readthedocs.io%2Fen%2Fstable%2Fbuild%2Flib%2Fmailman%2Fhandlers%2F docs%2Ffiltering.html%3Fhighlight%3Dcontent%2520filter&data=01%7C0 1%7Cmmasoudf%40aaas.org%7Ceb728218f9884b4bfc1a08d865635075%7C2eebd8ff9 ed140f0a15638e5dfb3bc56%7C0&sdata=mGUdz5NfrJgEyPmd5Isa0l01WWPQMpTA 9thyWLZ0qbU%3D&reserved=0
but still not clear how to do it for all type of excecutables.
There are four list settings that affect this. They are pass_types, pass_extensions, filter_types and filter_extensions. the pass_* settings specify message parts the list will accept while the filter_* settings specify message parts the list won't accept. The page at <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.readthedocs.io%2Fen%2Fstable%2Fsrc%2Fmailman%2Fhandlers%2Fdocs%2Ffiltering.html&data=01%7C01%7Cmmasoudf%40aaas.org%7Ceb728218f9884b4bfc1a08d865635075%7C2eebd8ff9ed140f0a15638e5dfb3bc56%7C0&sdata=3pndaAo8YQNZlIDRTFIIMtvJseW45LloihoEJGghDnE%3D&reserved=0> only discusses filter_types and needs updating for the others.
Filtering by extension only works on message parts that have an associated file name. Thus, while you can add things like 'exe', 'bat', 'cmd', 'com', 'pif', 'scr', 'vbs' and 'cpl' to filter_extensions, it won't be completely effective.
A better approach is to use MIME types[1] and only allow those you want. For a discussion list, a reasonable set is what this list uses:
multipart message/rfc822 text application/pgp-signature
This will accept any multipart and message/rfc822 parts for further analysis and ultimately accept only text/* and application/pgp-signature elemental parts. If you want to accept images and pdfs, you can add
image application/pdf
See <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fmedia-types%2Fmedia-types.xhtml&data=01%7C01%7Cmmasoudf%40aaas.org%7Ceb728218f9884b4bfc1a08d865635075%7C2eebd8ff9ed140f0a15638e5dfb3bc56%7C0&sdata=R0ilRz1I4Z2L34Yhwsy1jfWFBGRgKXOuHywJQytHXjI%3D&reserved=0> for a list of all registered MIME types. Note that these are all of the form
main_type/sub_type
and putting just
main_type
in *_types passes or filters all subtypes for that maintype.
[1] You can use both, e.g. filter_extensions to remove those you don't want and pass_types to accept the MIME types you do want.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mail...
On 10/1/20 3:23 PM, Mohsen Masoudfar wrote:
Hi Mark, Thanks again for the helpful hint. It seems that I still miss something. I am running Mailman3.1.1. I ran the following on my test server. I am trying, for test purpose only, to filter PDF attachments.
First I just used the pass_type, assuming once this is set, everything else is filtered.
That's how it should work.
# mailman withlist testlist3@x.com
m.pass_types = ['multipart', 'message/rfc822', 'text', 'application/pgp-signature'] commit() print(list(m.pass_types)) ['multipart', 'message/rfc822', 'text', 'application/pgp-signature']
This let PDF be send by Mailman3. Well, I need to add filter_types too, so I did this:
It shouldn't unless athe Content-Type: of the PDF part was text/* or application/pgp-signature
m.filter_types = ['application/pdf'] commit() print(list(m.filter_types)) ['application/pdf']
This should allow ONLY the PDF and nothing else, not even the text/* message body parts.
Mailman3 still distributes PDF files as attachment. What am I doing wrong?
This is the final settings:
print(list(m.pass_types)) ['multipart', 'message/rfc822', 'text', 'application/pgp-signature'] print(list(m.filter_types)) ['application/pdf']
This is wrong. set
m.filter_types =[]
Look at the raw message you receive from the list. What is the VConten-Type of the PDF part?
Actually, what's m.filter_content? I suspect it's False which means don't do any content filtering.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 10/1/20 6:12 PM, Mark Sapiro wrote:
m.filter_types = ['application/pdf'] commit() print(list(m.filter_types)) ['application/pdf']
This should allow ONLY the PDF and nothing else, not even the text/* message body parts.
Sorry, my statement above is wrong. That should also remove the pdf, but it's redundant given that 'application/pdf' is not in pass_types.
Actually, what's m.filter_content? I suspect it's False which means don't do any content filtering.
I think this is the issue.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro writes:
Filtering by extension only works on message parts that have an associated file name. Thus, while you can add things like 'exe', 'bat', 'cmd', 'com', 'pif', 'scr', 'vbs' and 'cpl' to filter_extensions, it won't be completely effective.
A better approach is to use MIME types[1] and only allow those you want. For a discussion list, a reasonable set is what this list uses:
I wouldn't say "better" if you're concerned about the executables being malware. There's long history of concealing malware by giving it a MIME type different from what the extension implies, and there was at least one Windows exploit that used this technique to achieve automatic execution of malware simply by displaying the message.
Good morning Mark,
You were right, the parameter m.filter_content was set to False, I believe the default. I changed it to True and it worked as expected. Thanks again.
Mohsen
-----Original Message----- From: Stephen J. Turnbull <turnbull.stephen.fw@u.tsukuba.ac.jp> Sent: Friday, October 2, 2020 2:54 AM To: Mark Sapiro <mark@msapiro.net> Cc: mailman-users@mailman3.org Subject: [MM3-users] Re: How to prevent members to attach executables (exe, bat, ...) to the emails sent to list
[EXTERNAL EMAIL]
Mark Sapiro writes:
Filtering by extension only works on message parts that have an > associated file name. Thus, while you can add things like 'exe', 'bat', > 'cmd', 'com', 'pif', 'scr', 'vbs' and 'cpl' to filter_extensions, it > won't be completely effective.
A better approach is to use MIME types[1] and only allow those you want. For a discussion list, a reasonable set is what this list uses:
I wouldn't say "better" if you're concerned about the executables being malware. There's long history of concealing malware by giving it a MIME type different from what the extension implies, and there was at least one Windows exploit that used this technique to achieve automatic execution of malware simply by displaying the message.
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mail...
participants (3)
-
Mark Sapiro -
Mohsen Masoudfar -
Stephen J. Turnbull