On 2/10/2016 1:03 PM, Nick Howitt wrote:
> Hi,
> In the last few weeks I've seen a increase in the number of e-mails
> with nasty .doc or .xls files, generally with some sort of invoice
> supposedly in them. Can postfix be reliably configured to block them
> at source. Below is a message header, the relevant but of the
> maillog and my configuration:

Some low hanging fruit:

Looks as if you're using amavisd-new.  Are you using clamav also?
If so, I highly recommend the Sanesecurity addon spam signatures.
They stop a lot of this kind of stuff for me.
http://sanesecurity.com/usage/signatures/
The signatures marked "low risk" should be safe for anyone to use.
you can make your own decision for the "Med" and "High" sigs.

This particular client has no reverse DNS hostname.  Most sites find
it safe to use reject_unknown_reverse_client_hostname to reject such
clients. This similar to restrictions at many big mail providers and
is a much safer alternative than reject_unknown_client_hostname.
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname

This client used an IP literal as their HELO name.  This is
permitted by RFC and common with end-user mail software, but rarely
found in a legit mail server.  You can use a check_helo_access
regexp to reject such clients after permit_mynetworks,
permit_sasl_authenticated.

The logs you include show the mail passing through your
content_filter.  It would have been much more interesting to see the
original connection from the outside client.

I didn't really look at your postconf output, other than noticing
that you use some good RBLs already, and have some questionable
settings for alias_maps, local_recipient_maps, and
virtual_alias_maps.  Maybe someone else will analyze that for you.


  -- Noel Jones


> 
>    Return-Path: <[email protected]>
>    Received: from localhost (localhost [127.0.0.1])
>         by server.mydomain.co.uk (Cyrus
> v2.3.16-Fedora-RPM-2.3.16-13.v6) with LMTPA;
>         Wed, 10 Feb 2016 17:41:36 +0000
>    X-Sieve: CMU Sieve 2.3
>    X-Virus-Scanned: amavisd-new at mydomain.co.uk
>    X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field
> made up
>        entirely of whitespace (char 09 hex): Content-Type:
>        ...80A65A5A6F0709FA513B7426538A615A81AC6E9920_"\n\t
>    X-Spam-Flag: YES
>    X-Spam-Score: 5.42
>    X-Spam-Level: *****
>    X-Spam-Status: Yes, score=5.42 tagged_above=-99 required=5
>        tests=[HTML_MESSAGE=0.001, RCVD_IN_BRBL=2.5,
>        RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274,
> URIBL_BLOCKED=0.001]
>        autolearn=no
>    Received: from [51.179.106.180] (unknown [51.179.106.180])
>        by mailserver.mydomain.co.uk (Postfix) with ESMTP id 9BB74E427F
>        for <[email protected]>; Wed, 10 Feb 2016 17:41:30
> +0000 (GMT)
>    From: Tim Maier <[email protected]>
>    To: <[email protected]>
>    Subject: [virus VBA/TrojanDownloader.Agent.ASA trojan] [SPAM]
>       
> =?UTF-8?B?UmVtaXR0YW5jZSBhZHZpY2UgZnJvbSBTa3kgR3JvdXA6IEFjY291bnQgTm8uIDgwNTczOQ==?=
> 
>    Thread-Topic: Remittance advice from Sky Group: Account No. 805739
>    Thread-Index: 9E9A0863698CAF3C254C6A950+B141==
>    Date: Wed, 10 Feb 2016 18:41:27 +0200
>    Message-ID:
> <97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com>
>    Accept-Language: en-US
>    Content-Language: en-US
>    X-MS-Has-Attach: yes
>    X-MS-TNEF-Correlator:
>    MIME-Version: 1.0
>    X-MC-Unique: 223161351459233692
>    Content-Type: multipart/mixed;
>       
> boundary="_929_604EEBAB9DEEDAD880A65A5A6F0709FA513B7426538A615A81AC6E9920_"   
> 
>    X-EsetResult: clean (cleaned), contained
> VBA/TrojanDownloader.Agent.ASA trojan
>    X-EsetId: 26366E2C4DACF56B3C7E31301FB3F36B677D637342
> 
>

Reply via email to