Hi Noel,
On 10/02/2016 19:39, Noel Jones wrote:
On 2/10/2016 1:03 PM, Nick Howitt wrote:
Hi,
In the last few weeks I've seen a increase in the number of e-mails
with nasty .doc or .xls files, generally with some sort of invoice
supposedly in them. Can postfix be reliably configured to block them
at source. Below is a message header, the relevant but of the
maillog and my configuration:
Some low hanging fruit:
Looks as if you're using amavisd-new. Are you using clamav also?
If so, I highly recommend the Sanesecurity addon spam signatures.
They stop a lot of this kind of stuff for me.
http://sanesecurity.com/usage/signatures/
The signatures marked "low risk" should be safe for anyone to use.
you can make your own decision for the "Med" and "High" sigs.
Nice link. I'll have to look at it properly.
This particular client has no reverse DNS hostname. Most sites find
it safe to use reject_unknown_reverse_client_hostname to reject such
clients. This similar to restrictions at many big mail providers and
is a much safer alternative than reject_unknown_client_hostname.
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
Unfortunately the thread has split so I asked this question replying to
another post. My concern is do many mailers use IP's with no reverse DNS
records. Presumably if they are dynamic they'll be picked up by the zen
rbl anyway?
This client used an IP literal as their HELO name. This is
permitted by RFC and common with end-user mail software, but rarely
found in a legit mail server. You can use a check_helo_access
regexp to reject such clients after permit_mynetworks,
permit_sasl_authenticated.
Interesting thought.
The logs you include show the mail passing through your
content_filter. It would have been much more interesting to see the
original connection from the outside client.
Bother I misses the first three lines of the connection log:
Feb 10 17:41:29 server postfix/smtpd[15962]: connect from
unknown[51.179.106.180]
Feb 10 17:41:30 server postfix/smtpd[15962]: 9BB74E427F:
client=unknown[51.179.106.180]
Feb 10 17:41:31 server postfix/cleanup[15965]: 9BB74E427F:
message-id=<97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com>
Presumably if I want more I need to change the verbosity.
I didn't really look at your postconf output, other than noticing
that you use some good RBLs already, and have some questionable
settings for alias_maps, local_recipient_maps, and
virtual_alias_maps. Maybe someone else will analyze that for you.
Don't worry about these. They are either empty or set by my distro,
preconfigured to be updated when the LDAP user list changes.
-- Noel Jones
Return-Path: <[email protected]>
Received: from localhost (localhost [127.0.0.1])
by server.mydomain.co.uk (Cyrus
v2.3.16-Fedora-RPM-2.3.16-13.v6) with LMTPA;
Wed, 10 Feb 2016 17:41:36 +0000
X-Sieve: CMU Sieve 2.3
X-Virus-Scanned: amavisd-new at mydomain.co.uk
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field
made up
entirely of whitespace (char 09 hex): Content-Type:
...80A65A5A6F0709FA513B7426538A615A81AC6E9920_"\n\t
X-Spam-Flag: YES
X-Spam-Score: 5.42
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.42 tagged_above=-99 required=5
tests=[HTML_MESSAGE=0.001, RCVD_IN_BRBL=2.5,
RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274,
URIBL_BLOCKED=0.001]
autolearn=no
Received: from [51.179.106.180] (unknown [51.179.106.180])
by mailserver.mydomain.co.uk (Postfix) with ESMTP id 9BB74E427F
for <[email protected]>; Wed, 10 Feb 2016 17:41:30
+0000 (GMT)
From: Tim Maier <[email protected]>
To: <[email protected]>
Subject: [virus VBA/TrojanDownloader.Agent.ASA trojan] [SPAM]
=?UTF-8?B?UmVtaXR0YW5jZSBhZHZpY2UgZnJvbSBTa3kgR3JvdXA6IEFjY291bnQgTm8uIDgwNTczOQ==?=
Thread-Topic: Remittance advice from Sky Group: Account No. 805739
Thread-Index: 9E9A0863698CAF3C254C6A950+B141==
Date: Wed, 10 Feb 2016 18:41:27 +0200
Message-ID:
<97495148876b4c8ecebe19312419b8ec215b9...@567d24e77.safewaydriving.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
MIME-Version: 1.0
X-MC-Unique: 223161351459233692
Content-Type: multipart/mixed;
boundary="_929_604EEBAB9DEEDAD880A65A5A6F0709FA513B7426538A615A81AC6E9920_"
X-EsetResult: clean (cleaned), contained
VBA/TrojanDownloader.Agent.ASA trojan
X-EsetId: 26366E2C4DACF56B3C7E31301FB3F36B677D637342