ASSP_AFC error - URI in PDF

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ASSP_AFC error - URI in PDF

K Post
With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with web links in them to be erroneously blocked.

This seems to happen with the PDF is created with certain invoicing software which creates annotations to link text to the vendor's website.  Why they're doing this, I have no idea, but we can't change that - these are inbound PDF's.

I looked at one of the problem PDF's using a binary capable text editor and saw a section like this:

18 0 obj
<<
/Type /Annot
/Subtype /Link
/Border [0 0 0]
/Rect [110 671 177 680]
/A << /Type /Action /S /URI /URI (http://example.com) >>
>>
endobj


If I remove that entire section, the file passes through ASSP filtering without issue.

If I create a sample PDF in Word and just have a link to a website, all is fine, the trouble seems specific to annotations with links in them.

For the time being, I've added the :URIPDF exception and the messages are getting through.

Do you think this is something that can be addressed?




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

K Post
and while you're at it, could you change the error:
"not allowed URI in PDF file" 
to
"prohibited link in PDF file"
or something like that?  

On Tue, May 23, 2017 at 12:31 PM, K Post <[hidden email]> wrote:
With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with web links in them to be erroneously blocked.

This seems to happen with the PDF is created with certain invoicing software which creates annotations to link text to the vendor's website.  Why they're doing this, I have no idea, but we can't change that - these are inbound PDF's.

I looked at one of the problem PDF's using a binary capable text editor and saw a section like this:

18 0 obj
<<
/Type /Annot
/Subtype /Link
/Border [0 0 0]
/Rect [110 671 177 680]
/A << /Type /Action /S /URI /URI (http://example.com) >>
>>
endobj


If I remove that entire section, the file passes through ASSP filtering without issue.

If I create a sample PDF in Word and just have a link to a website, all is fine, the trouble seems specific to annotations with links in them.

For the time being, I've added the :URIPDF exception and the messages are getting through.

Do you think this is something that can be addressed?





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Robert K Coffman Jr. -Info From Data Corp.
In reply to this post by K Post
I have people who receive HTML attachments from banks that include a bit
of javascript, and 4.52 is blocking those.  I'm at a loss as to how to
deal with these so that they can get through but malicious js still gets
blocked.

- Bob Coffman

On 5/23/2017 12:31 PM, K Post wrote:
> With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with
> web links in them to be erroneously blocked.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Thomas Eckardt/eck
In reply to this post by K Post
>/A << /Type /Action /S /URI /URI (http://example.com) >>

I'll try to fix this. Reason is that the detected file extension '.com' is the same like the domain.


Thomas




Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        23.05.2017 18:33
Betreff:        [Assp-test] ASSP_AFC error - URI in PDF




With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with web links in them to be erroneously blocked.

This seems to happen with the PDF is created with certain invoicing software which creates annotations to link text to the vendor's website.  Why they're doing this, I have no idea, but we can't change that - these are inbound PDF's.

I looked at one of the problem PDF's using a binary capable text editor and saw a section like this:

18 0 obj
<<
/Type /Annot
/Subtype /Link
/Border [0 0 0]
/Rect [110 671 177 680]
/A << /Type /Action /S /URI /URI (http://example.com) >>
>>
endobj


If I remove that entire section, the file passes through ASSP filtering without issue.

If I create a sample PDF in Word and just have a link to a website, all is fine, the trouble seems specific to annotations with links in them.

For the time being, I've added the :URIPDF exception and the messages are getting through.

Do you think this is something that can be addressed?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Thomas Eckardt/eck
In reply to this post by Robert K Coffman Jr. -Info From Data Corp.
You've defined the 'exe-bin' protection switch. To allow JavaScript (and any othet scripting language) in emails add '|:CSC' -> 'exe-bin|:CSC'.

Thomas





Von:        "Robert K Coffman Jr. -Info From Data Corp." <[hidden email]>
An:        [hidden email]
Datum:        23.05.2017 19:56
Betreff:        Re: [Assp-test] ASSP_AFC error - URI in PDF




I have people who receive HTML attachments from banks that include a bit
of javascript, and 4.52 is blocking those.  I'm at a loss as to how to
deal with these so that they can get through but malicious js still gets
blocked.

- Bob Coffman

On 5/23/2017 12:31 PM, K Post wrote:
> With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with
> web links in them to be erroneously blocked.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Thomas Eckardt/eck
In reply to this post by K Post
ASSP_AFC 4.53 published at SF-CVS  fixes this issue.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        23.05.2017 18:33
Betreff:        [Assp-test] ASSP_AFC error - URI in PDF




With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with web links in them to be erroneously blocked.

This seems to happen with the PDF is created with certain invoicing software which creates annotations to link text to the vendor's website.  Why they're doing this, I have no idea, but we can't change that - these are inbound PDF's.

I looked at one of the problem PDF's using a binary capable text editor and saw a section like this:

18 0 obj
<<
/Type /Annot
/Subtype /Link
/Border [0 0 0]
/Rect [110 671 177 680]
/A << /Type /Action /S /URI /URI (http://example.com) >>
>>
endobj


If I remove that entire section, the file passes through ASSP filtering without issue.

If I create a sample PDF in Word and just have a link to a website, all is fine, the trouble seems specific to annotations with links in them.

For the time being, I've added the :URIPDF exception and the messages are getting through.

Do you think this is something that can be addressed?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Robert K Coffman Jr. -Info From Data Corp.
In reply to this post by Thomas Eckardt/eck
Thanks Thomas,

I've added that to the default line and these are still blocked.
Perhaps I'm not modifying the default (which is what I'm using) correctly.

ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|':CSC'
-> 'exe-bin|:CSC'

Can anyone help?

- Bob

On 5/24/2017 1:16 AM, Thomas Eckardt wrote:
> You've defined the 'exe-bin' protection switch. To allow JavaScript (and
> any othet scripting language) in emails add '|:CSC' -> 'exe-bin|:CSC'.
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Thomas Eckardt/eck
Huuuu....???


.....exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp.....

see the ':CSC' behind 'exe\-bin'


Thomas


Von:        "Robert K Coffman Jr. -Info From Data Corp." <[hidden email]>
An:        [hidden email]
Datum:        24.05.2017 14:42
Betreff:        Re: [Assp-test] ASSP_AFC error - URI in PDF




Thanks Thomas,

I've added that to the default line and these are still blocked.
Perhaps I'm not modifying the default (which is what I'm using) correctly.

ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|':CSC'
-> 'exe-bin|:CSC'

Can anyone help?

- Bob

On 5/24/2017 1:16 AM, Thomas Eckardt wrote:
> You've defined the 'exe-bin' protection switch. To allow JavaScript (and
> any othet scripting language) in emails add '|:CSC' -> 'exe-bin|:CSC'.
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Robert K Coffman Jr. -Info From Data Corp.
On 5/24/2017 8:47 AM, Thomas Eckardt wrote:>
 >.....exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp.....


I tried many permutations, including that one.

Current:

ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]


May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> info: found message size announcement: 9.38 MByte
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> message proxied without processing - message
size (9838045) is above 500000 (npSizeOut).
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] [NoProcessing]
192.168.0.129 <[hidden email]> to: [hidden email]
message proxied without processing (except checks enabled for
noprocessing mails)
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> to: [hidden email] [Plugin] calling
plugin ASSP_AFC
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> to: [hidden email] info: using user
based attachment check
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
SPAM FOUND bad attachment 'testfile.html' cause: 'Java script - possibly
locky (ransomware) virus'
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
SPAM FOUND replaced bad attachment 'testfile.html' cause: 'Java script -
possibly locky (ransomware) virus' with 'testfile.txt'
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
info: 1 attachment found for Level-1
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
message proxied without processing (bad attachment 'testfile.html'
cause: 'Java script - possibly locky (ransomware) virus')
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
file path changed to  -> /usr/share/assp/discarded/361--2789192.eml
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
[spam found] bad attachment 'testfile.html' cause: 'Java script -
possibly locky (ransomware) virus'  [test 6] ->
/usr/share/assp/discarded/361--2789192.eml


Thanks for any help with this.

- Bob

On 5/24/2017 8:47 AM, Thomas Eckardt wrote:

> see the ':CSC' behind 'exe\-bin'
>
> Thomas
>
>
> Von: "Robert K Coffman Jr. -Info From Data Corp."
> <[hidden email]>
> An: [hidden email]
> Datum: 24.05.2017 14:42
> Betreff: Re: [Assp-test] ASSP_AFC error - URI in PDF
> ------------------------------------------------------------------------
>
>
>
> Thanks Thomas,
>
> I've added that to the default line and these are still blocked.
> Perhaps I'm not modifying the default (which is what I'm using) correctly.
>
> ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|':CSC'
>
> -> 'exe-bin|:CSC'
>
> Can anyone help?
>
> - Bob
>
> On 5/24/2017 1:16 AM, Thomas Eckardt wrote:
>  > You've defined the 'exe-bin' protection switch. To allow JavaScript (and
>  > any othet scripting language) in emails add '|:CSC' -> 'exe-bin|:CSC'.
>  >
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally privileged and protected in law and are intended solely for the
> use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Thomas Eckardt/eck
>SPAM FOUND bad attachment 'testfile.html' cause: 'Java script - possibly locky (ransomware) virus'

If this is detected, there are statements in the JavaScript, that should not be used in an email.


string.prototype.

and/or

charAt

 
Both statements are the only two clear readable statements in the JavaScript versions of the JS-ransomeware viruses. The statements are used to decrypt (reverse enginiering) the rest of the JavaScript in to an executable code.
I'm sorry, but I'm not willing to change this.

If you want, you can change the ASSP_AFC.pm.

v4.53 line 1541 (the line content is unchanged since 4.2x, it should be easy to find in other versions)

from:

    } elsif ($$raf =~ /\bstring\.prototype\.|\bcharAt\b/io) {   # detect possibly lucky virus script

to

    } elsif ($sk !~ /:CSC/oi && $$raf =~ /\bstring\.prototype\.|\bcharAt\b/io) {   # detect possibly lucky virus script

If the line is changed this way, the ':CSC' switch will exclude this check. But be warned! The zero day versions of this scripting virus are hard to detect (even for prof. AV solutions)  because of there variable encryption.

Thomas



Von:        "Robert K Coffman Jr. -Info From Data Corp." <[hidden email]>
An:        [hidden email]
Datum:        24.05.2017 15:17
Betreff:        Re: [Assp-test] ASSP_AFC error - URI in PDF




On 5/24/2017 8:47 AM, Thomas Eckardt wrote:>
>.....exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp.....


I tried many permutations, including that one.

Current:

ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]


May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> info: found message size announcement: 9.38 MByte
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> message proxied without processing - message
size (9838045) is above 500000 (npSizeOut).
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] [NoProcessing]
192.168.0.129 <[hidden email]> to: [hidden email]
message proxied without processing (except checks enabled for
noprocessing mails)
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> to: [hidden email] [Plugin] calling
plugin ASSP_AFC
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<[hidden email]> to: [hidden email] info: using user
based attachment check
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
SPAM FOUND bad attachment 'testfile.html' cause: 'Java script - possibly
locky (ransomware) virus'
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
SPAM FOUND replaced bad attachment 'testfile.html' cause: 'Java script -
possibly locky (ransomware) virus' with 'testfile.txt'
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
info: 1 attachment found for Level-1
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
message proxied without processing (bad attachment 'testfile.html'
cause: 'Java script - possibly locky (ransomware) virus')
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
file path changed to  -> /usr/share/assp/discarded/361--2789192.eml
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <[hidden email]> to: [hidden email]
[spam found] bad attachment 'testfile.html' cause: 'Java script -
possibly locky (ransomware) virus'  [test 6] ->
/usr/share/assp/discarded/361--2789192.eml


Thanks for any help with this.

- Bob

On 5/24/2017 8:47 AM, Thomas Eckardt wrote:
> see the ':CSC' behind 'exe\-bin'
>
> Thomas
>
>
> Von: "Robert K Coffman Jr. -Info From Data Corp."
> <[hidden email]>
> An: [hidden email]
> Datum: 24.05.2017 14:42
> Betreff: Re: [Assp-test] ASSP_AFC error - URI in PDF
> ------------------------------------------------------------------------
>
>
>
> Thanks Thomas,
>
> I've added that to the default line and these are still blocked.
> Perhaps I'm not modifying the default (which is what I'm using) correctly.
>
> ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|':CSC'
>
> -> 'exe-bin|:CSC'
>
> Can anyone help?
>
> - Bob
>
> On 5/24/2017 1:16 AM, Thomas Eckardt wrote:
>  > You've defined the 'exe-bin' protection switch. To allow JavaScript (and
>  > any othet scripting language) in emails add '|:CSC' -> 'exe-bin|:CSC'.
>  >
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
>
https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally privileged and protected in law and are intended solely for the
> use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Assp-test mailing list
> [hidden email]
>
https://lists.sourceforge.net/lists/listinfo/assp-test
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

Robert K Coffman Jr. -Info From Data Corp.
On 5/24/2017 9:51 AM, Thomas Eckardt wrote:

> If this is detected, there are statements in the JavaScript, that should
> not be used in an email.
>
> string.prototype.
>
> and/or
>
> charAt


Indeed, both are in there.

> I'm sorry, but I'm not willing to change this.
>

I understand and agree.

- Bob


>
> Von: "Robert K Coffman Jr. -Info From Data Corp."
> <[hidden email]>
> An: [hidden email]
> Datum: 24.05.2017 15:17
> Betreff: Re: [Assp-test] ASSP_AFC error - URI in PDF
> ------------------------------------------------------------------------
>
>
>
> On 5/24/2017 8:47 AM, Thomas Eckardt wrote:>
>  >.....exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp.....
>
>
> I tried many permutations, including that one.
>
> Current:
>
> ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]
>
>
> May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
> <[hidden email]> info: found message size announcement: 9.38 MByte
> May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
> <[hidden email]> message proxied without processing - message
> size (9838045) is above 500000 (npSizeOut).
> May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] [NoProcessing]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> message proxied without processing (except checks enabled for
> noprocessing mails)
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
> <[hidden email]> to: [hidden email] [Plugin] calling
> plugin ASSP_AFC
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
> <[hidden email]> to: [hidden email] info: using user
> based attachment check
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> SPAM FOUND bad attachment 'testfile.html' cause: 'Java script - possibly
> locky (ransomware) virus'
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> SPAM FOUND replaced bad attachment 'testfile.html' cause: 'Java script -
> possibly locky (ransomware) virus' with 'testfile.txt'
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> info: 1 attachment found for Level-1
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> message proxied without processing (bad attachment 'testfile.html'
> cause: 'Java script - possibly locky (ransomware) virus')
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> file path changed to  -> /usr/share/assp/discarded/361--2789192.eml
> May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
> 192.168.0.129 <[hidden email]> to: [hidden email]
> [spam found] bad attachment 'testfile.html' cause: 'Java script -
> possibly locky (ransomware) virus'  [test 6] ->
> /usr/share/assp/discarded/361--2789192.eml
>
>
> Thanks for any help with this.
>
> - Bob
>
> On 5/24/2017 8:47 AM, Thomas Eckardt wrote:
>  > see the ':CSC' behind 'exe\-bin'
>  >
>  > Thomas
>  >
>  >
>  > Von: "Robert K Coffman Jr. -Info From Data Corp."
>  > <[hidden email]>
>  > An: [hidden email]
>  > Datum: 24.05.2017 14:42
>  > Betreff: Re: [Assp-test] ASSP_AFC error - URI in PDF
>  > ------------------------------------------------------------------------
>  >
>  >
>  >
>  > Thanks Thomas,
>  >
>  > I've added that to the default line and these are still blocked.
>  > Perhaps I'm not modifying the default (which is what I'm using)
> correctly.
>  >
>  >
> ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|':CSC'
>
>  >
>  > -> 'exe-bin|:CSC'
>  >
>  > Can anyone help?
>  >
>  > - Bob
>  >
>  > On 5/24/2017 1:16 AM, Thomas Eckardt wrote:
>  >  > You've defined the 'exe-bin' protection switch. To allow
> JavaScript (and
>  >  > any othet scripting language) in emails add '|:CSC' -> 'exe-bin|:CSC'.
>  >  >
>  >
>  >
>  >
> ------------------------------------------------------------------------------
>  > Check out the vibrant tech community on one of the world's most
>  > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>  > _______________________________________________
>  > Assp-test mailing list
>  > [hidden email]
>  > https://lists.sourceforge.net/lists/listinfo/assp-test
>  >
>  >
>  >
>  >
>  >
>  >
>  > DISCLAIMER:
>  > *******************************************************
>  > This email and any files transmitted with it may be confidential,
>  > legally privileged and protected in law and are intended solely for the
>  > use of the
>  > individual to whom it is addressed.
>  > This email was multiple times scanned for viruses. There should be no
>  > known virus in this email!
>  > *******************************************************
>  >
>  >
>  >
>  >
> ------------------------------------------------------------------------------
>  > Check out the vibrant tech community on one of the world's most
>  > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>  >
>  >
>  >
>  > _______________________________________________
>  > Assp-test mailing list
>  > [hidden email]
>  > https://lists.sourceforge.net/lists/listinfo/assp-test
>  >
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally privileged and protected in law and are intended solely for the
> use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP_AFC error - URI in PDF

K Post
In reply to this post by Thomas Eckardt/eck
Confirmed working much better now.  THANK YOU

On Wed, May 24, 2017 at 7:22 AM, Thomas Eckardt <[hidden email]> wrote:
ASSP_AFC 4.53 published at SF-CVS  fixes this issue.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        23.05.2017 18:33
Betreff:        [Assp-test] ASSP_AFC error - URI in PDF




With AFC 4.52 and no exceptions to exe-bin, we've found some PDF's with web links in them to be erroneously blocked.

This seems to happen with the PDF is created with certain invoicing software which creates annotations to link text to the vendor's website.  Why they're doing this, I have no idea, but we can't change that - these are inbound PDF's.

I looked at one of the problem PDF's using a binary capable text editor and saw a section like this:

18 0 obj
<<
/Type /Annot
/Subtype /Link
/Border [0 0 0]
/Rect [110 671 177 680]
/A << /Type /Action /S /URI /URI (http://example.com) >>
>>
endobj


If I remove that entire section, the file passes through ASSP filtering without issue.

If I create a sample PDF in Word and just have a link to a website, all is fine, the trouble seems specific to annotations with links in them.

For the time being, I've added the :URIPDF exception and the messages are getting through.

Do you think this is something that can be addressed?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...