HSL code examples
Below is a smorgasbord with some script examples you may find useful for your IP Policy (connection level) and Mail Content flows.
IP Policy Flow
These scripts may be used in IP Policy flows.
Black and White list
// White list
$network = array("10.0.0.0/8","192.168.0.0/16");
foreach($network as $net) {
// Check if $senderip is in any of the networks..
if (in_network($senderip, $net)) {
Allow();
}
}
// Black list
$network = array("172.16.0.0/12");
foreach($network as $net) {
// Check if $senderip is in any of the networks..
if (in_network($senderip, $net)) {
Block();
}
}
DNS Blacklist
if(count(dnsbl($senderip,"zen.spamhaus.org")) > 0) {
echo "Connection from $senderip blocked by Spamhaus";
Block();
}
if(count(dnsbl($senderip,"bl.spamcop.net")) > 0) {
echo "Connection from $senderip blocked by SpamCop";
Block();
}
Mail Flows
Below are examples that can be used in Mail Gateway flows, such as the Mail Content Flow. These are all available in the SPG and VSP appliances, since they are per definition mail gateways.
Mail Recipient Flow
These examples can be used on Recipient Flows tab; in the Mail Gateway Incoming section.
Tarpitting
Delay potential spammers, for a few seconds if eg. recipient cannot be found or if a message was spam. This tarpitting concept may be implemented in any step in a message transaction (IP Policy Flow, Authentication Flow, Recipient Flow or in the Content Flow). But it may/will have a negative impact on the performance of your SPG/VSP. But If you can afford it in a low volume environment (in terms of not affecting genuine messages) it will prevent the overall SPAM sent on the Internet due to occupying the spammers time.
sleep(30);
Reject("Unknown User");
If you use simple Recipient Flow modules, you may write "sleep(30);" in the last script, just before the build-in Reject module.
Mail Content Flow
These scripts may be used in flows on the Mail Gateway Content Flows section.
Check if Sender Domain exists
Check if Sender Domain exists; if not delete the mail.
if ($senderdomain != "" and !dns($senderdomain) and !dnsmx($senderdomain))
{
echo "Sender Domain $sender does not exist";
Delete();
}
Use a magic keyword for attachment passthrough
This script will block messages with .zip attachments if they do not have the keyword "sendzip" in the subject.
// This is the magic keyword aka. passphrase
$magickeyword = "sendzip";
// Test if magickeyword is not found anywhere in the subject
if (!(GetHeader("Subject") =~ $magickeyword))
{
// Find all attachments of type zip
if (count($illegalattachments = GetAttachmentsByName("\\.zip$")) > 0)
{
// Remove the attachment, tag the subject and wrap the message...
RemoveAttachments($illegalattachments);
WrapMessage("[Attachments Removed] "+GetHeader("Subject"), "The following attachments were removed, if you want to obtain these; please, ask the sender to resend them and type $magickeyword in the subject of the message.<br />");
// Print out the file names
foreach(GetAttachmentName($illegalattachments) as $name)
{
WrapMessage("", $name);
}
}
}
White list Sender Domain
This is how a white list could be written. Below follows two examples, the first using string compare and second using Regular Expressions.
$whitelist = array("halonsecurity.com", "halon.se", "example.org");
foreach($whitelist as $host)
{
if ($senderdomain == $host) Deliver();
}
Example using Regular Expressions.
$whitelist = array("@halonsecurity\\.com$", "@halon\\.se$", "@example\\.org$");
foreach($whitelist as $host)
{
if ($senderdomain =~ $host) Deliver();
}
Be aware of that you have to escape the dots in the host with \\., or else the dot will match any character.
Append RPD Score to Subject
$score = ScanRPD();
// If score is more bigger than zero, append SPG header.
if ($score > 0) { PrependHeader("Subject", "[SPG:$score] ");
Check Sender against SPF
$spf = ScanSPF();
// Score 100 means that the sender is NOT allowed to send mail for this domain
if ($spf == 100) {
Delete();
}
Verify sender "HELO" hostname
This example will check if the senders HELO message does resolve back to his IP.
if(!in_array($senderip,dns($senderhelo))) {
echo "Provided HELO message does not resolve to sender IP, this is suspicious";
}
Log all mail messages sent out not during office hours
Since you don't expect anyone to send out mail during the night, you may want to explicit log all sent mail. This of course only makes sense when using the flow for outgoing traffic.
// Code Executed between 17:00 and 6:59
$time = number(strftime("%H"));
if ($time > 16 or $time < 7)
{
echo "[NOTICE] Computer $senderip tried to send a mail to $recipient (from $sender)";
}
Scan Message, Delete Viruses and Encapsulate message
This example will scan all MIME parts having a name, that said it will not scan the entire message only files appearing as attachments.
foreach(GetAttachmentsByName(".+") as $id) {
$virus = ScanKAV($id);
if (count($virus)) {
RemoveAttachments($id);
WrapMessage("Virus Alert", "Virus "+$virus+" found in attachment "+GetAttachmentName(string($id)));
}
}
This example will scan the message and remove and notifiy is a virus was found.
$virus = ScanKAV();
if (count($virus) > 0) {
RemoveAttachments();
WrapMessage("Virus Alert", "Virus "+$virus+" found in message");
Deliver();
}
Loopback Protection
This example will prevent mail loops.
// Remove message if it has been looping for more than 3 times..."
$loop=number(GetHeader("X-SPG-Loopback-Protection"));
if ($loop < 3)
{
SetHeader("X-SPG-Loopback-Protection", ($loop + 1));
} else {
echo "Loopback Protection; Deleted Message from $sender to $recipient (server: $senderip; loop-count: $loop)";
Delete();
}
DSN Spam Protection
Delete the message if it is a DSN (delivery status notification) but not sent directly from your outgoing mail server (*.example.com).
$dsn = GetDSN();
if ($dsn["route"][1] =~ "\\.example\\.com") {
echo "DSN Spam; Deleted Message from $sender to $recipient";
Delete();
}
