Scan email message entirely

[Jack28]

A feature that allows behaviour analysis of the email message itself opened by the default mail application.

Expected Behavior

Amavis should put the original message as an additional file into the directory with separate attachments. Peekaboo should then be able to avoid to analyse this file under certain circumstances since it will be different for every individual message (except maybe mailing lists).

Current Behavior

Amavis can be configured to behave as mentioned. Peekaboo will then always scan the file or ignore it as part of the whitelist (message/rfc822 or text/plain). Be advised that Cuckoo doesn't open the file with the correct application due to file extension.

Possible Solution

A possible solution would be to tweak the file type guessing. In addition those files should be ignored under certain circumstances, e.g. filesize - sizeof(attachments) < 1000. Given body content of normal messages is usually smaller than N characters while encoded exlpoits + payloads > n bytes.

Steps to Reproduce

@keep_decoded_original_maps = (new_RE(
  ... stuff ...
  qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  ... stuff ...
));

Context (Environment)

I'm trying to detect things like this:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8587

Displaying message contents can be enough to harm the device integrity, even only displayed by preview.

[Clevero]

I think that feature would be good and reasonable since opening the mail with Outlook is an attack vector that would otherwise not be covered.

Currently, we use peekaboo internally with relatively low costs and hassle and plan to roll out to our customers. In our use cases, the usefulness of this feature depends.

1. Only emails that are sent as an attachment are scanned
The resource consumption overall would not be much higher as right now and therefore manageable. Also, the bigger delay of the mail flow would not always be noticeable as we use peekaboo inside our mail gateway and the longer it takes the longer our user wait for expected emails. So we would use this feature. I didn't fully understand the CVE, but is opening an email enough to exploit it or just opening an email that was sent as an attachment? If first, IMO this feature should include all emails.

2. If all emails are scanned, the time a cuckoo analyses takes should be minimal as possible.
In our setup for example, docx and pdf files take > 120 seconds whereas jpg and png files just need < 30 seconds in cuckoo. Times like > 120 seconds would result in much higher costs for VM's since every email is scanned and not just those with attachments resulting in more VM's.

[michaelweiser]

May be relevant here: Just the other day confirmed that current Outlook still opens message/rfc822 (or mbox files?) if their filename ends in .eml. So Peekaboo could send them to Cuckoo as (maybe) p001.eml and see what happens?