Dan,
I'm curious in this script you run every 15 minutes...
Is that something you can share?
Thanks,
Denny
>________________________________
> From: Dan McAllister <q...@it4soho.com>
>To: qmailtoaster-list@qmailtoaster.com
>Sent: Monday, November 4, 2013 5:27 PM
>Subject: Re: [qmailtoaster] plague caused by virus
>
>
>
>On 11/4/2013 3:27 PM, Nicholas Chua wrote:
>
>
>>Hi,
>>
>>I am receiving an average of 13 new virus each day. Due to these
virus, email accounts passwords are stolen and caused massive
spams from the server. Valuable time is wasted to delist our IP
and to maintain a private list of a virus database which till
date 100+ virus are still not detected by clamav.
>>
>>This server is housing about 600 users. We were not experience
this issue since 4 months ago. Anyone out there would like to
share your experience fighting virus?
>>
>>Thanks
>>nic
>>
>Nic:
>
>You'll need to look to your qmail-send logs to see the users who
are sending messages that are failing. For virus infected systems,
you'll see the messages going out to 20 or so addresses at a time,
most of which will be invalid.
>
>Once you identify a hacked user, change their password &
decline to give them the new password until they can demonstrate
that they've run a full virus scan on their system.
>
>It is because of issues like this that I keep a 15-minute timer on
my larger mail systems... every 15 minutes, I count how many
failed messages there have been so far today. When the value
reaches 100, I look into it and usually find ONE USER who is
responsible for the vast majority of them, and I immediately
suspend that user as described above (I just change the password).
>
>The problems with your idea of resting on clamav for virus
protection includes:
> 1) you're assuming clamav is scanning messages from your users --
which in a stock QMT, it is not. It only scans messages coming in
on port 25 received without authentication (e.g. inbound mail, not
outbound mail);
> 2) you're assuming virus infections are spreading as attachments
-- usually they are nothing but links... which usually get opened
and infect clients because stupid, lazy users keep their mail
clients set to having a preview pane and to showing html content
always... thus, the swear they didn't OPEN the infecting message
-- but their preview pane sure did!
> 3) you're assuming you're being blacklisted because of SPAM or
virus contents -- usually you hit the blacklists because you send
SPAM to "honeypot" addresses, or you keep hitting sites over and
over again with invalid addresses (considered fishing).
>
>So, if this started a few days ago, start by extracting the log
files, one day at a time, for the past week.
> 1) use qmlog to scan ALL available logs (not just the "current"
file
> 2) pipe the output of qmlog into grep and sort out all entries
for the given day (e.g. | grep "^10-31")
> 3) put the results into a /tmp file (I would use /
> 4) use the [q]mtrack program I mentioned just earlier today to
examine JUST THAT FILE, and look for messages that have multiple
recipients.
>
>I hope this points you in the right direction...
>
>Dan
>IT4SOHO
>QMT DNS/Mirror Admin
>
>
>-- PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax We have support plans for QMail!
>
>
