RE: [qmailtoaster] plague caused by virus
Many thanks Brent! Regards nic Date: Thu, 7 Nov 2013 11:32:07 -0700 From: bgardnermailingli...@gmail.com To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] plague caused by virus On 11/06/2013 07:56 PM, Nicholas Chua wrote: Hi Brent You might take a look at the SaneSecurity Foxhole signatures for ClamAV: http://sanesecurity.com/foxhole-databases/ These are designed to hit on any executable in an archive file. Regards, Brent Gardner Are you able to teach me how do i use foxhole only? Nic- Install QmailToaster Plus if you don't already have it. Instructions here: http://qtp.qmailtoaster.com/trac Then, with root privileges, run qtp-install-sanesecurity. More info here: http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-install-sanesecurity Then, edit /etc/clamav-unofficial-sigs.conf. There's a section that starts like this: # # Sanesecurity Database(s) # In this section, there's a statement: ss_dbs= lots of signature db names If you want to run -only- the foxhole signatures, remove all the other signature DB names between the quotes and add the foxhole signature db name of your choice on a line by itself between the quotes. There's at least three foxhole signature databases so you'll need to choose which one's right for you. More info here: http://sanesecurity.com/foxhole-databases/ The SaneSecurity updater script also downloads SecuriteInfo and MalwarePatrol databases. If you want to prevent this you'll also need to comment out the corresponding sections in clamav-unofficial-sigs.conf. Regards, Brent Gardner - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] plague caused by virus
Very nice script Dan. Thanks!! From: Dan McAllister q...@it4soho.com To: qmailtoaster-list@qmailtoaster.com Sent: Wednesday, November 6, 2013 4:22 PM Subject: Re: [qmailtoaster] plague caused by virus Sure -- happy to share... it's pretty brute force, but I don't have a lot of time for clean development! Remember: I reset the name of my mtrack command to qmtrack... (Bolding the non-commented lines is just my way of making them stand out) #! /bin/bash # $0 (or check-failures.sh) - (should run every 15 minutes from a cron job... so ensure there is no output!) # NOTE: If run with no arguments (e.g. from cron), the report is run for TODAY # if 1 argument, the report is run for the STARTING VALUE entered # $0 11 would run the report for all of November # $0 11-11 would run the report solely for November 11 (no matter what day today is) # if 2 arguments, the report is run for the MONTH and DAY provided # $0 11 11 would run the report for November 11 (no matter what day today is) # # Delete old log files rm -f /tmp/send* # # Process Args if [ $# -eq 0 ] ; then TODAY=`/bin/date +%m-%d` elif [ $# -eq 1 ] ; then TODAY=$1 elif [ $# -eq 2 ] ; then TODAY=$1-$2 else echo Usage: $0 [month] | [month] [day] 12 exit 1 fi # # Create nice logs for the period requested /usr/sbin/qmlog send | grep ^${TODAY} /tmp/send-${TODAY} # Look for faliures /it4soho/sbin/qmtrack -p fail /tmp/send-${TODAY} /tmp/send-${TODAY}-fail # Count failures FAILURES=`grep 'failure:' /tmp/send-${TODAY}-fail | wc -l` # If too many, send an email if [ $FAILURES -gt 100 ] ; then mail -s TOO MANY MAIL SYSTEM FAILURES u...@domain.com -EOL There have been $FAILURES failed message attempts so far today. Please check the server ASAP to prevent blacklistings -EOL fi # Done. I hope you find it useful... Dan McAllister IT4SOHO QMT DNS/Mirror Admin On 11/4/2013 9:00 PM, LHTek wrote: Dan, I'm curious in this script you run every 15 minutes... Is that something you can share? Thanks, Denny From: Dan McAllister q...@it4soho.com To: qmailtoaster-list@qmailtoaster.com Sent: Monday, November 4, 2013 5:27 PM Subject: Re: [qmailtoaster] plague caused by virus On 11/4/2013 3:27 PM, Nicholas Chua wrote: Hi, I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? Thanks nic Nic: You'll need to look to your qmail-send logs to see the users who are sending messages that are failing. For virus infected systems, you'll see the messages going out to 20 or so addresses at a time, most of which will be invalid. Once you identify a hacked user, change their password decline to give them the new password until they can demonstrate that they've run a full virus scan on their system. It is because of issues like this that I keep a 15-minute timer on my larger mail systems... every 15 minutes, I count how many failed messages there have been so far today. When the value reaches 100, I look into it and usually find ONE USER who is responsible for the vast majority of them, and I immediately suspend that user as described above (I just change the password). The problems with your idea of resting on clamav for virus protection includes: 1) you're assuming clamav is scanning messages from your users -- which in a stock QMT, it is not. It only scans messages coming in on port 25 received without authentication (e.g. inbound mail, not outbound mail); 2) you're assuming virus infections are spreading as attachments -- usually they are nothing but links... which usually get opened and infect clients because stupid, lazy users keep their mail clients
Re: [qmailtoaster] plague caused by virus
On 11/06/2013 07:56 PM, Nicholas Chua wrote: Hi Brent You might take a look at the SaneSecurity Foxhole signatures for ClamAV: http://sanesecurity.com/foxhole-databases/ These are designed to hit on any executable in an archive file. Regards, Brent Gardner Are you able to teach me how do i use foxhole only? Nic- Install QmailToaster Plus if you don't already have it. Instructions here: http://qtp.qmailtoaster.com/trac Then, with root privileges, run qtp-install-sanesecurity. More info here: http://qtp.qmailtoaster.com/trac/wiki/Features#qtp-install-sanesecurity Then, edit /etc/clamav-unofficial-sigs.conf. There's a section that starts like this: # # Sanesecurity Database(s) # In this section, there's a statement: ss_dbs= lots of signature db names If you want to run -only- the foxhole signatures, remove all the other signature DB names between the quotes and add the foxhole signature db name of your choice on a line by itself between the quotes. There's at least three foxhole signature databases so you'll need to choose which one's right for you. More info here: http://sanesecurity.com/foxhole-databases/ The SaneSecurity updater script also downloads SecuriteInfo and MalwarePatrol databases. If you want to prevent this you'll also need to comment out the corresponding sections in clamav-unofficial-sigs.conf. Regards, Brent Gardner - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] plague caused by virus
Sure -- happy to share... it's pretty brute force, but I don't have a lot of time for clean development! Remember: I reset the name of my mtrack command to qmtrack... (Bolding the non-commented lines is just my way of making them stand out) #! /bin/bash # $0 (or check-failures.sh) - (should run every 15 minutes from a cron job... so ensure there is no output!) # NOTE: If run with no arguments (e.g. from cron), the report is run for TODAY # if 1 argument, the report is run for the STARTING VALUE entered # $0 11 would run the report for all of November # $0 11-11 would run the report solely for November 11 (no matter what day today is) # if 2 arguments, the report is run for the MONTH and DAY provided # $0 11 11 would run the report for November 11 (no matter what day today is) # # Delete old log files *rm -f /tmp/send** # # Process Args *if [ $# -eq 0 ] ; then** ** TODAY=`/bin/date +%m-%d`** **elif [ $# -eq 1 ] ; then** ** TODAY=$1** **elif [ $# -eq 2 ] ; then** ** TODAY=$1-$2** **else** ** echo Usage: $0 [month] | [month] [day] 12** exit 1 **fi** *# # Create nice logs for the period requested */usr/sbin/qmlog send | grep ^${TODAY} /tmp/send-${TODAY}* # Look for faliures */it4soho/sbin/qmtrack -p fail /tmp/send-${TODAY} /tmp/send-${TODAY}-fail* # Count failures* **FAILURES=`grep 'failure:' /tmp/send-${TODAY}-fail | wc -l`* # If too many, send an email *if [ $FAILURES -gt 100 ] ; then** ** mail -s TOO MANY MAIL SYSTEM FAILURES */u...@domain.com /* -EOL** **There have been $FAILURES failed message attempts so far today.** **Please check the server ASAP to prevent blacklistings** **-EOL** **fi* # Done. I hope you find it useful... Dan McAllister IT4SOHO QMT DNS/Mirror Admin On 11/4/2013 9:00 PM, LHTek wrote: Dan, I'm curious in this script you run every 15 minutes... Is that something you can share? Thanks, Denny *From:* Dan McAllister q...@it4soho.com *To:* qmailtoaster-list@qmailtoaster.com *Sent:* Monday, November 4, 2013 5:27 PM *Subject:* Re: [qmailtoaster] plague caused by virus On 11/4/2013 3:27 PM, Nicholas Chua wrote: Hi, I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? Thanks nic Nic: You'll need to look to your qmail-send logs to see the users who are sending messages that are failing. For virus infected systems, you'll see the messages going out to 20 or so addresses at a time, most of which will be invalid. Once you identify a hacked user, change their password decline to give them the new password until they can demonstrate that they've run a full virus scan on their system. It is because of issues like this that I keep a 15-minute timer on my larger mail systems... every 15 minutes, I count how many failed messages there have been so far today. When the value reaches 100, I look into it and usually find ONE USER who is responsible for the vast majority of them, and I immediately suspend that user as described above (I just change the password). The problems with your idea of resting on clamav for virus protection includes: 1) you're assuming clamav is scanning messages from your users -- which in a stock QMT, it is not. It only scans messages coming in on port 25 received without authentication (e.g. inbound mail, not outbound mail); 2) you're assuming virus infections are spreading as attachments -- usually they are nothing but links... which usually get opened and infect clients because stupid, lazy users keep their mail clients set to having a preview pane and to showing html content always... thus, the swear they didn't OPEN the infecting message -- but their preview pane sure did! 3) you're assuming you're being blacklisted because of SPAM or virus contents -- usually you hit the blacklists because you send SPAM to honeypot addresses, or you keep hitting sites over and over again with invalid addresses (considered fishing). So, if this started a few days ago, start by extracting the log files, one day at a time, for the past week. 1) use qmlog to scan ALL available logs (not just the current file 2) pipe the output of qmlog into grep and sort out all entries for the given day (e.g. | grep ^10-31) 3) put the results
RE: [qmailtoaster] plague caused by virus
Sure -- happy to share... it's pretty brute force, but I don't have a lot of time for clean development! Remember: I reset the name of my mtrack command to qmtrack... (Bolding the non-commented lines is just my way of making them stand out) #! /bin/bash # $0 (or check-failures.sh) - (should run every 15 minutes from a cron job... so ensure there is no output!) # NOTE: If run with no arguments (e.g. from cron), the report is run for TODAY # if 1 argument, the report is run for the STARTING VALUE entered # $0 11 would run the report for all of November # $0 11-11 would run the report solely for November 11 (no matter what day today is) # if 2 arguments, the report is run for the MONTH and DAY provided # $0 11 11 would run the report for November 11 (no matter what day today is) # # Delete old log files rm -f /tmp/send* # # Process Args if [ $# -eq 0 ] ; then TODAY=`/bin/date +%m-%d` elif [ $# -eq 1 ] ; then TODAY=$1 elif [ $# -eq 2 ] ; then TODAY=$1-$2 else echo Usage: $0 [month] | [month] [day] 12 exit 1 fi # # Create nice logs for the period requested /usr/sbin/qmlog send | grep ^${TODAY} /tmp/send-${TODAY} # Look for faliures /it4soho/sbin/qmtrack -p fail /tmp/send-${TODAY} /tmp/send-${TODAY}-fail # Count failures FAILURES=`grep 'failure:' /tmp/send-${TODAY}-fail | wc -l` # If too many, send an email if [ $FAILURES -gt 100 ] ; then mail -s TOO MANY MAIL SYSTEM FAILURES u...@domain.commailto:u...@domain.com -EOL There have been $FAILURES failed message attempts so far today. Please check the server ASAP to prevent blacklistings -EOL fi # Done. I hope you find it useful... Many thanks Dan. Great script
RE: [qmailtoaster] plague caused by virus
Hi Brent You might take a look at the SaneSecurity Foxhole signatures for ClamAV: http://sanesecurity.com/foxhole-databases/ These are designed to hit on any executable in an archive file. Regards, Brent Gardner Are you able to teach me how do i use foxhole only? Thanks nic - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] plague caused by virus
Hi, I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? Thanks nic
Re: [qmailtoaster] plague caused by virus
On 11/4/2013 3:27 PM, Nicholas Chua wrote: Hi, I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? Thanks nic Nic: You'll need to look to your qmail-send logs to see the users who are sending messages that are failing. For virus infected systems, you'll see the messages going out to 20 or so addresses at a time, most of which will be invalid. Once you identify a hacked user, change their password decline to give them the new password until they can demonstrate that they've run a full virus scan on their system. It is because of issues like this that I keep a 15-minute timer on my larger mail systems... every 15 minutes, I count how many failed messages there have been so far today. When the value reaches 100, I look into it and usually find ONE USER who is responsible for the vast majority of them, and I immediately suspend that user as described above (I just change the password). The problems with your idea of resting on clamav for virus protection includes: 1) you're assuming clamav is scanning messages from your users -- which in a stock QMT, it is not. It only scans messages coming in on port 25 received without authentication (e.g. inbound mail, not outbound mail); 2) you're assuming virus infections are spreading as attachments -- usually they are nothing but links... which usually get opened and infect clients because stupid, lazy users keep their mail clients set to having a preview pane and to showing html content always... thus, the swear they didn't OPEN the infecting message -- but their preview pane sure did! 3) you're assuming you're being blacklisted because of SPAM or virus contents -- usually you hit the blacklists because you send SPAM to honeypot addresses, or you keep hitting sites over and over again with invalid addresses (considered fishing). So, if this started a few days ago, start by extracting the log files, one day at a time, for the past week. 1) use qmlog to scan ALL available logs (not just the current file 2) pipe the output of qmlog into grep and sort out all entries for the given day (e.g. | grep ^10-31) 3) put the results into a /tmp file (I would use / 4) use the [q]mtrack program I mentioned just earlier today to examine JUST THAT FILE, and look for messages that have multiple recipients. I hope this points you in the right direction... Dan IT4SOHO QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
RE: [qmailtoaster] plague caused by virus
snip I hope this points you in the right direction... Actually i am more interested in blocking out the virus, the root of the problem regards nic
Re: [qmailtoaster] plague caused by virus
On 11/04/2013 04:37 PM, Nicholas Chua wrote: snip I hope this points you in the right direction... Actually i am more interested in blocking out the virus, the root of the problem regards nic We block lots of virus-prone attachments using entries in /var/qmail/control/simcontrol: - executables (.exe, .js, .bat, etc.) - office docs (.doc, .docx, .pdf, etc.) - archive files (.zip, .rar, .7z, etc.) If you're seeing emails come in with links that download viruses, you can write SpamAssassin rules to block these, but it quickly becomes a game of whack-a-mole. Regards, Brent Gardner - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] plague caused by virus
snip We block lots of virus-prone attachments using entries in /var/qmail/control/simcontrol: - executables (.exe, .js, .bat, etc.) - office docs (.doc, .docx, .pdf, etc.) - archive files (.zip, .rar, .7z, etc.) If you're seeing emails come in with links that download viruses, you can write SpamAssassin rules to block these, but it quickly becomes a game of whack-a-mole. Most of the virus are compressed with zip and rar which i am unable to block as most of the users are sending these files. For spamassassin i am using KAM which is kinda effective. Maybe someone out there has clamav + sophie + simscan running which might strengthen the virus protection part? Regards nic
Re: [qmailtoaster] plague caused by virus
Dan, I'm curious in this script you run every 15 minutes... Is that something you can share? Thanks, Denny From: Dan McAllister q...@it4soho.com To: qmailtoaster-list@qmailtoaster.com Sent: Monday, November 4, 2013 5:27 PM Subject: Re: [qmailtoaster] plague caused by virus On 11/4/2013 3:27 PM, Nicholas Chua wrote: Hi, I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? Thanks nic Nic: You'll need to look to your qmail-send logs to see the users who are sending messages that are failing. For virus infected systems, you'll see the messages going out to 20 or so addresses at a time, most of which will be invalid. Once you identify a hacked user, change their password decline to give them the new password until they can demonstrate that they've run a full virus scan on their system. It is because of issues like this that I keep a 15-minute timer on my larger mail systems... every 15 minutes, I count how many failed messages there have been so far today. When the value reaches 100, I look into it and usually find ONE USER who is responsible for the vast majority of them, and I immediately suspend that user as described above (I just change the password). The problems with your idea of resting on clamav for virus protection includes: 1) you're assuming clamav is scanning messages from your users -- which in a stock QMT, it is not. It only scans messages coming in on port 25 received without authentication (e.g. inbound mail, not outbound mail); 2) you're assuming virus infections are spreading as attachments -- usually they are nothing but links... which usually get opened and infect clients because stupid, lazy users keep their mail clients set to having a preview pane and to showing html content always... thus, the swear they didn't OPEN the infecting message -- but their preview pane sure did! 3) you're assuming you're being blacklisted because of SPAM or virus contents -- usually you hit the blacklists because you send SPAM to honeypot addresses, or you keep hitting sites over and over again with invalid addresses (considered fishing). So, if this started a few days ago, start by extracting the log files, one day at a time, for the past week. 1) use qmlog to scan ALL available logs (not just the current file 2) pipe the output of qmlog into grep and sort out all entries for the given day (e.g. | grep ^10-31) 3) put the results into a /tmp file (I would use / 4) use the [q]mtrack program I mentioned just earlier today to examine JUST THAT FILE, and look for messages that have multiple recipients. I hope this points you in the right direction... Dan IT4SOHO QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] plague caused by virus
On 11/04/2013 04:58 PM, Nicholas Chua wrote: snip We block lots of virus-prone attachments using entries in /var/qmail/control/simcontrol: - executables (.exe, .js, .bat, etc.) - office docs (.doc, .docx, .pdf, etc.) - archive files (.zip, .rar, .7z, etc.) If you're seeing emails come in with links that download viruses, you can write SpamAssassin rules to block these, but it quickly becomes a game of whack-a-mole. Most of the virus are compressed with zip and rar which i am unable to block as most of the users are sending these files. For spamassassin i am using KAM which is kinda effective. Maybe someone out there has clamav + sophie + simscan running which might strengthen the virus protection part? Regards nic You might take a look at the SaneSecurity Foxhole signatures for ClamAV: http://sanesecurity.com/foxhole-databases/ These are designed to hit on any executable in an archive file. Regards, Brent Gardner - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] plague caused by virus
snip We block lots of virus-prone attachments using entries in /var/qmail/control/simcontrol: - executables (.exe, .js, .bat, etc.) - office docs (.doc, .docx, .pdf, etc.) - archive files (.zip, .rar, .7z, etc.) If you're seeing emails come in with links that download viruses, you can write SpamAssassin rules to block these, but it quickly becomes a game of whack-a-mole. Most of the virus are compressed with zip and rar which i am unable to block as most of the users are sending these files. For spamassassin i am using KAM which is kinda effective. Maybe someone out there has clamav + sophie + simscan running which might strengthen the virus protection part? Regards nic You might take a look at the SaneSecurity Foxhole signatures for ClamAV: http://sanesecurity.com/foxhole-databases/ Looks promising. I had checked out clamav-unofficial-sigs.conf but foxhole database is not included is it? Regards nic