On 03/09/2020 12.52, Syafril Hermansyah via mdaemon-l wrote:
Kelihatannya lognya tidak cocok dengan mail yang ada di quarantine queue, tidak
ada informasi masuk ke quarantine queue
Periksa dulu message header yang ada quarantine queue, lihat message-ID nya
berapa dan gunakan sebagai kata kunci pencarian di antivirus log.
Berikut saya sampaikan yang terakhir muncul di quarantine queue ya pak
email ini muncul di quarantine queue setelah saya aktifkan antivirus
menggunakan cyren, ini berarti email dihari sebelumnya ya pak ?
Thu 2020-09-03 06:30:47.528: ----------
Thu 2020-09-03 06:30:53.497: MDaemon AntiVirus processing
c:\mdaemon\queues\local\md5001000319580.msg...
Thu 2020-09-03 06:30:53.497: * Message return-path:
chenl...@berryapparel.com
Thu 2020-09-03 06:30:53.497: * Message from: chenl...@berryapparel.com
Thu 2020-09-03 06:30:53.497: * Message to: agus.triy...@persada.id
Thu 2020-09-03 06:30:53.497: * Message subject: Fwd:RE: Daily Recon SPMS
Ericsson Aug-2020
Thu 2020-09-03 06:30:53.497: * Message ID:
<431e2a85d360f17be19adae74ff29...@berryapparel.com>
Thu 2020-09-03 06:30:53.497: Start MDaemon AntiVirus results (ClamAV)
Thu 2020-09-03 06:30:53.509: * Total attachments scanned?????? : 3
(including multipart/alternatives and message body)
Thu 2020-09-03 06:30:53.509: * Total attachments infected???? : 0
Thu 2020-09-03 06:30:53.509: * Total attachments disinfected: 0
Thu 2020-09-03 06:30:53.509: * Total errors while scanning?? : 0
Thu 2020-09-03 06:30:53.509: * Total attachments removed?????? : 0
Thu 2020-09-03 06:30:53.520: End of MDaemon AntiVirus results
Thu 2020-09-03 06:30:53.520: ----------
Message headernya sbb :
X-SPScan-Result: infected
X-SPScan-VirusName: W97M/Downldr.IE.gen!Eldorado
X-MDBadQueue-Reason: WARNING! infected with virus
(W97M/Downldr.IE.gen!Eldorado)
X-MDAV-Processed: mail.persada.id, Thu, 03 Sep 2020 06:30:53 +0700
Return-path: <chenl...@berryapparel.com>
Authentication-Results: mail.persada.id;
?????? spf=pass smtp.mailfrom=chenl...@berryapparel.com;
?????? dkim=fail (DKIM_BAD_SYNTAX) header.d=berryapparel.com
header.b=EcTupVRfcf;
?????? iprev=pass policy.iprev=202.53.147.151 (PTR mail.violetapparel.com);
?????? iprev=fail policy.iprev=202.53.147.151 reason="does not match"
(HELO berryapparel.com);
?????? iprev=pass policy.iprev=202.53.147.151 (MAIL chenl...@berryapparel.com)
Received-SPF: pass (mail.persada.id: domain berryapparel.com
?????? designates 202.53.147.151 as permitted sender)
?????? receiver=mail.persada.id; client-ip=202.53.147.151;
?????? mechanism=mx; envelope-from="chenl...@berryapparel.com";
?????? helo=berryapparel.com;
Received: from berryapparel.com (mail.violetapparel.com
[202.53.147.151]) by mail.persada.id (124.81.84.135) (MDaemon PRO v20.0.1)
?????? with ESMTP id md5001000188866.msg; Thu, 03 Sep 2020 06:30:52 +0700
X-Spam-Level:
X-Spam-Status: No, score=0.80 required=5.0
X-Spam-Report:
?????? *?? 0.3 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
?????? *?? 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
?????? *?? 0.0 HTML_MESSAGE BODY: HTML included in message
?????? *?? 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
X-Spam-Processed: mail.persada.id, Thu, 03 Sep 2020 06:30:52 +0700
?????? (processed during SMTP session)
X-MDSPF-Result: unapproved (mail.persada.id)
X-MDRemoteIP: 202.53.147.151
X-MDHelo: berryapparel.com
X-MDArrival-Date: Thu, 03 Sep 2020 06:30:52 +0700
X-MDOrigin-Country: Cambodia, Asia
X-Rcpt-To: agus.triy...@persada.id
X-MDRcpt-To: agus.triy...@persada.id
X-Return-Path: chenl...@berryapparel.com
X-Envelope-From: chenl...@berryapparel.com
X-MDaemon-Deliver-To: agus.triy...@persada.id
DKIM-Signature: a=rsa-sha256; t=1599089446; x=1599694246; s=;
d=berryapparel.com; c=relaxed/relaxed; v=1;
bh=tTrbDVtq7WuF8KAyKrphEekxg1iSuyQNVF04exBkYLg=;
h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
b=EcTupVRfcflo9jz3DNP1DovJXFFZp+mjvjZEIG+jqeYGKZARCFd9NOFhkoV84XBDf+yFwGrS2oxSNjlXOvPE6NDpttac28gODsWRF4jOu4Q5NICFhuPQ09jOjkWNoYbSlBzBCPWheLLUduNDco9JfJCry986WVfsvCrNtdO4jQc=
Received: from [86.98.9.19] ([86.98.9.19])
?????????????? by berryapparel.com (12.1.1 build 4 x64) with ASMTP (SSL) id
202009030630441375
?????????????? for <agus.triy...@persada.id>; Thu, 03 Sep 2020 06:30:44 +0700
Date: Thu, 03 Sep 2020 03:30:41 +0400
From: "Wiwin Tri Akhdiana" <chenl...@berryapparel.com>
To: "Agus Triyono" <agus.triy...@persada.id>
Subject: Fwd:RE: Daily Recon SPMS Ericsson Aug-2020
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--4556116609063506179342483804808427"
Message-ID: <431e2a85d360f17be19adae74ff29...@berryapparel.com>
Akan tetapi dari gambar quarantine message, kelihatannya semua itu memang mail
bervirus dan mestinya ditolak di level SMTP.
Gambarnya tidak lengkap, tidak terlihat time stamp (date time) dari masing-2x
mail tersebut.
Terlampir SC untuk quarantine queue jam 13.30 pak
Berapa kapasitas RAM yang terpasang di hardware?
Kapasitas RAM kami 32 Gb
Processor Intel Xeon E5620 2.4 GHz
Carikan log transaksinya di antivirus log.
Maaf ini untuk log apanya ya pak ?
Dari mana tahunya?
Maaf ini prediksi saya pak, kalo normalnya email dari luar itu kan
dengan subject
macam-macam, nggak ada yang sama persis dengan email yang legitimate,
tapi email yang dianggap virus ini ternyata punya subject yang sama persis
Ada contohnya (message source)?
Kalo dari queue ambil message sorce-nya gimana ya pak ?
--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia
Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.co.id
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 20.0.1, SecurityGateway 7.0
