We no longer offer ftp downloads. If there is a file you need referenced here, please contact me by email and I will get it to you.

Email attachment stripping

The number of viruses that attack windows systems is incredible. Virus scanning is costly, and can't guarantee 100% safety: if you get a virus before the scanners know about it, they will let it pass.

Most viruses come in the form of email attachments. While attachments are certainly important for some email, in other situations a company may not care to receive attachments at all; for example if they are only expecting text emails, any attachment is suspect. In such cases, stripping of attachments makes sense.

Here is my simple shell script attachment stripper. Some caveats are important:

1) It is not a real filter. I have cron run it every minute. There is a statistical chance that an attachment could get past it if the recipient's pop checks and downloads the email before a 60 second interval. To minimize this chance, users can set their email program to check for new mail no less than 15 or 20 minutes. That allows a bigger window of opportunity for the scanner to do its job. It would be much better if a user could just pipe incoming email through a script like this (that can be done using procmail).

It's also possible that a large attachment could be coming in and still be writing as this script runs on it (again, procmail would eliminate that). I've never seen that happen, and this has handled a LOT of email.

2) It doesn't check all the possible high risk attachments. But I think I have included all the common, wide-spread types. The full list is around 15-20 different file types.

3) It may use more resources than some admins would like if it runs every single minute of the day. I have tried to minimize resource use by only scanning email newer than the last check. That helped a bunch over the previous version which scanned the entire spool directory, and again, using procmail would mean it would only run as email was delivered.

4) I think the binary "/usr/bin/newer" may be an add-on to SCO. But I noticed it is standard on RH 6.2. I think there is an option of the "test" binary that can check if a file mod time is newer. Yup, just checked, it option "-nt".

5) It quarantines the entire contents of the recipient's mail spool. Which means an admin would have to look through the quarantine for important emails some times. In practice I have seen this need only rare cases, like emailed orders. Amazing how much junk is in email. A much better approach would be to only cripple or clip out the attachment, and leave the rest intact.

These are a some pitfalls. But I can personally testify I have seen it do a great job at trapping viruses in the last 8 months I have been running it! The only time one got through was before I added "eml" to the list of extensions.

I'll bet some wizards could vastly improve the script. Simple things, like figuring out how to use one grep command for all the file types might improve performance significantly (egrep can, of course, search for multiple patterns in one pass, and in Perl this would be even easier).

• Download SCO Version: emailvirus.sco
• Download Linux Version: emailvirus.linux

:
# SCO Unix version
# emailvirus.sh - scan email spool for high-risk attachments
# if found - quarantine and email user, admin
#
# currently checks for 6 file types: vbs, exe, bat, js, scr, eml
# add your own as you wish below
#

start_time=`date "+%y%m%d%H%M.%S"`
scan_time=`date "+%y%m%d %H:%M:%S"`
mailspool=/usr/spool/mail
admin="admin_email_address_here"
quarantinedir=/tmp/quarantine
# watch size of this log file, it logs scans and quarantines
logfile=/tmp/emv.dat

if [ -d $quarantinedir ] ; then
  qdir=ok
else
  mkdir $quarantinedir
fi

# use logfile to track last run, see if spool file is newer before
# checking, create it if it don't exist

if [ -f $logfile ] ; then
  emv=ok
else
  touch $logfile
fi


cd $mailspool

for i in `ls`
do
  if /usr/bin/newer $i $logfile ; then

    if [ -s $i ] ; then
      echo "scan\t"$i"\t"$scan_time >> $logfile
    fi

    risk=no

    # check for high-risk attachments
    # I just grep for word "name"
    fattach=`grep -i name $i`"xyzX"

    if echo $fattach | grep -i "\.vbs" > /dev/null ; then
      risk=yes
      vdesc="visual basic"
    fi

    if echo $fattach | grep -i "\.exe"  > /dev/null ; then
      risk=yes
      vdesc="executable"
    fi

    if echo $fattach | grep -i "\.js"  > /dev/null ; then
      risk=yes
      vdesc="javascript"
    fi

    if echo $fattach | grep -i "\.bat"  > /dev/null ; then
      risk=yes
      vdesc="batch file"
    fi

    if echo $fattach | grep -i "\.eml"  > /dev/null ; then
      risk=yes
      vdesc="MS eml"
    fi

    if echo $fattach | grep -i "\.scr"  > /dev/null ; then
      risk=yes
      vdesc="screen saver"
    fi

    if [ $risk = yes ] ; then
      qfile=/tmp/quarantine/$i.$$
      mv $i $qfile
      echo -e "  "$i": \nYour email was quarantined because it contained a
possible $vdesc virus. \n\nSee System Administrator for assistance. \n\nFile
quarantined: "$qfile | mail -s "QUARANTINED EMAIL - $i" $i
    echo "
~b $admin

$i:

Your email was quarantined because it contained a possible $vdesc.

See $admin for assistance.

File quarantined: "$qfile | mail -t -s "QUARANTINED EMAIL - $i" $i
      echo "QUARANTINE\t"$i"\t"$scan_time"\tfile\t"$qfile >> $logfile
    fi
fi
done

# revert logfile mod time back to when this process started
touch -t $start_time $logfile



# LINUX VERSION
# emailvirus.sh - scan email spool for high-risk attachments
# if found - quarantine and email a notice to user, admin
# scans and results logged to /tmp/emv.log - you might watch size of this

mailspool=3D/var/spool/mail
logfile=3D/tmp/emv.log
admin=3D"admin_email_address_here"

quarantinedir=3D/tmp/quarantine
start_time=3D`date "+%y%m%d%H%M.%S"`
scan_time=3D`date "+%y%m%d %H:%M:%S"`


if [ -d $quarantinedir ] ; then
  qdir=3Dok
else
  mkdir $quarantinedir 
fi

# use logfile to track last run, see if spool file is newer before
# checking, create it if it don't exist

if [ -f $logfile ] ; then
  emv=3Dok
else
  touch $logfile
fi

cd $mailspool

for i in `ls`
do
  if newer $i $logfile ; then
    echo $i" scanned: "$scan_time >> $logfile

    risk=3Dno
    vdesc=3D" "
  
    # check for common, high-risk attachments
    # by grepping for "name" to start with
    # gnu grep apparently requires the "-a"
    fattach=3D`grep -a -i name $i`"xyzX"
  
    if echo $fattach | grep  -i "\.vbs" > /dev/null ; then
      risk=3Dyes
      vdesc=3D"visual basic"
    fi
  
    if echo $fattach | grep  -i "\.exe"  > /dev/null ; then
      risk=3Dyes
      exe=3Dyes
      vdesc=3D"executable"
    fi
  
    if echo $fattach | grep  -i "\.js"  > /dev/null ; then
      risk=3Dyes
      js=3Dyes
      vdesc=3D"javascript"
    fi
  
    if echo $fattach | grep  -i "\.bat"  > /dev/null ; then
      risk=3Dyes
      bat=3Dyes
      vdesc=3D"batch file"
    fi
  
    if echo $fattach | grep  -i "\.eml"  > /dev/null ; then
      risk=3Dyes
      eml=3Dyes
      vdesc=3D"MS eml"
    fi
  
    if echo $fattach | grep  -i "\.scr"  > /dev/null ; then
      risk=3Dyes
      scr=3Dyes
      vdesc=3D"screen saver"
    fi

    if [ $risk =3D yes ] ; then
      qfile=3D$quarantinedir/$i.$$
      mv $i $qfile
      echo -e $i": \n\nYour email was quarantined because it contained a =
possible $vdesc virus. \n\nSee System Administrator for assistance. =
\n\nFile quarantined: "$qfile | mail -s "QUARANTINED EMAIL - $i" $i =
$admin
      echo "quarantine "$i" file: "$qfile "  "$scan_time >> $logfile
    fi
  fi
done

touch -t $start_time $logfile
 

Related procmail script: https://www.impsec.org/email-tools/procmail-security.html

Publish your articles, comments, book reviews or opinions here!

Got something to add? Send me email.

1 comment

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us