Dan, I'm curious in this script you run every 15 minutes...
Is that something you can share? Thanks, Denny >________________________________ > From: Dan McAllister <q...@it4soho.com> >To: qmailtoaster-list@qmailtoaster.com >Sent: Monday, November 4, 2013 5:27 PM >Subject: Re: [qmailtoaster] plague caused by virus > > > >On 11/4/2013 3:27 PM, Nicholas Chua wrote: > > >>Hi, >> >>I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. >> >>This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? >> >>Thanks >>nic >> >Nic: > >You'll need to look to your qmail-send logs to see the users who are sending messages that are failing. For virus infected systems, you'll see the messages going out to 20 or so addresses at a time, most of which will be invalid. > >Once you identify a hacked user, change their password & decline to give them the new password until they can demonstrate that they've run a full virus scan on their system. > >It is because of issues like this that I keep a 15-minute timer on my larger mail systems... every 15 minutes, I count how many failed messages there have been so far today. When the value reaches 100, I look into it and usually find ONE USER who is responsible for the vast majority of them, and I immediately suspend that user as described above (I just change the password). > >The problems with your idea of resting on clamav for virus protection includes: > 1) you're assuming clamav is scanning messages from your users -- which in a stock QMT, it is not. It only scans messages coming in on port 25 received without authentication (e.g. inbound mail, not outbound mail); > 2) you're assuming virus infections are spreading as attachments -- usually they are nothing but links... which usually get opened and infect clients because stupid, lazy users keep their mail clients set to having a preview pane and to showing html content always... thus, the swear they didn't OPEN the infecting message -- but their preview pane sure did! > 3) you're assuming you're being blacklisted because of SPAM or virus contents -- usually you hit the blacklists because you send SPAM to "honeypot" addresses, or you keep hitting sites over and over again with invalid addresses (considered fishing). > >So, if this started a few days ago, start by extracting the log files, one day at a time, for the past week. > 1) use qmlog to scan ALL available logs (not just the "current" file > 2) pipe the output of qmlog into grep and sort out all entries for the given day (e.g. | grep "^10-31") > 3) put the results into a /tmp file (I would use / > 4) use the [q]mtrack program I mentioned just earlier today to examine JUST THAT FILE, and look for messages that have multiple recipients. > >I hope this points you in the right direction... > >Dan >IT4SOHO >QMT DNS/Mirror Admin > > >-- PLEASE TAKE NOTE OF OUR NEW ADDRESS =================================== IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! > >